t-mobile Fails Security 101.

I remember back when AdECN was in the process of being acquired by Microsoft. One of the things we went through was a security audit. We did pretty well, but they busted us for storing passwords in the database and made us code a change before the acquisition went through.

With the recent rash of website hacks and password database leaks (I'd link them but there are sooo many), you'd think that a company the size of t-mobile would have clued into best practices around passwords and know better. Apparently not, and best of all they're even dumb enough to advertise it on their login page. "Lost your password? Have it sent to your mobile phone." So clearly the passwords aren't being stored using a one-way hash. Good grief.