Select Page

Plaintext passwords – 2023 edition – Issaquah School District

Well – I thought the bad practice of not hashing passwords was behind us, but no, today another example popped up.

If you want a primer on password hashing – take a read of this from Troy Hunt (of Have I been pwned fame).

Short version – hashing is a one-way mathematical function that for an input, always produces the same output. It’s best practice to store passwords for websites as a hashed value (or hash+salt to be honest) – so in the event that the site database is compromised, there’s a list of usernames or emails, but no passwords. It also means that you can’t get back to your old password – so you should never see a “mail me my password” or get emails saying “here is your username and password”.

So, back to the school district. Their jobs page has a “create account” link, which lets you do the email address and password thing.


So far, so good. At login – there is the usual credentials page. But what’s that? A “Send Password” button.


And, as you’ve guessed, it sends back a cleartext password, to the email account used to sign up.


Behind all of this are job applications, and also PII including resume, certification information, disclosures, address and phone numbers.


So what now?

The diligent thing is to contact someone, a Data Registrar, a Web Master – anyone really.

That’s going to be in the next blog post.