Poor Password Practice – Some Utilities Use Service that Sends Passwords in Plain Text

After a concerted attempt at responsible disclosure to the vendor who designed his power company’s website, an anonymous security researcher shares his September 2018 discovery of poor password practices. According to ArsTechnica, the researcher reached out to SEDC, an Atlanta firm that provides utility software solutions, after the troubling discovery that his power company’s website was sending plain-text passwords in-lieu of a reset for forgotten credentials. While this deficiency is not unique to this vendor, the incident highlights the lingering practice that unnecessarily places customer data at risk. SEDC has stated the way their software handles forgotten password requests has been changed. However, as SEDC provides software solutions to water, cooperative, and multi-service utilities, it is possible water and wastewater utilities could have been affected. It is recommended that members assess the security practices of their website vendors as part of their vendor/third-party risk management strategy to assure service providers are employing best practices of encrypting passwords and never sending them in plain-text. arstechnica