I've had a few emails back and forth with the EAA tech dir about how bad the security of their site is. I mean its crap.
So more proof....
I make an account on the eaa builders website. It requires a ton of stuff that should be simply copied over from my EAA membership, or better yet, just simply not required. They don't need my address or phone number.. they have my EAA number. I mean the are showing when my membership expires, so they are definately talking to another server with my account info.
Well, I sign up and they send me a welcome email, and it contains my password, in plain text. Ok, maybe it was part of a script that fired off during account creation and the password is safely encrypted. NOPE!
I requested my password at login (forgot password) and it emailed me the password, in PLAIN TEXT!!!
So that means that they are not using best practices w/r/t passwords or account security.
But so what? Well, remember when they were able to tell me when my EAA membership was due? Well that means that there is access to a main account server, or worse, they are using a single database without proper encryption. Its 2021. This is inexcusable at least as negligent and lazy at worst. It takes all of two lines of code to salt and one way hash a password.
This is middle school level scripting. I mean the builders site is obviously done by one of board members young children as a summer coding project... I hope.
So more proof....
I make an account on the eaa builders website. It requires a ton of stuff that should be simply copied over from my EAA membership, or better yet, just simply not required. They don't need my address or phone number.. they have my EAA number. I mean the are showing when my membership expires, so they are definately talking to another server with my account info.
Well, I sign up and they send me a welcome email, and it contains my password, in plain text. Ok, maybe it was part of a script that fired off during account creation and the password is safely encrypted. NOPE!
I requested my password at login (forgot password) and it emailed me the password, in PLAIN TEXT!!!
So that means that they are not using best practices w/r/t passwords or account security.
But so what? Well, remember when they were able to tell me when my EAA membership was due? Well that means that there is access to a main account server, or worse, they are using a single database without proper encryption. Its 2021. This is inexcusable at least as negligent and lazy at worst. It takes all of two lines of code to salt and one way hash a password.
This is middle school level scripting. I mean the builders site is obviously done by one of board members young children as a summer coding project... I hope.
