Recently, 37signals blogged touting their security in dramatic marketing terms. It's a pity that the reality doesn't match the claims.
Two of the major claims on the security page are Your data won’t be compromised and Our systems are hacker safe. And the related details talk about the firewalling and physical security of their data center. All that's great.
But there's a dirty little secret. 37signals stores passwords in plain text in their database (or, as commentators have pointed out, they could be storing the password encrypted using a key available to their application server; either way the password can be recovered by a hacker who gains access to their server). I found this out today when cancelling my Highrise account. I'd forgotten the password and so I went through password recovery. It instantly emailed me my password.
I'd expected to receive a temporary password and be asked to change it. But 37signals stored my password in their database and was happy to email it out. For me this isn't a disaster because I generate unique passwords for each registration, but for lots of people this is a big problem. Plenty of people use the same password on many different sites.
That means if one site is compromised hackers can get access to all those user's other accounts. And a compromise can come in various forms. It could be actually hacking into 37signals, or it could be getting access to an old backup of their database.
But there's a solution to this, it's easy to implement, it completely eliminates the problem even if their site is hacked, and it's a security best practice. There are plenty of good descriptions of how to implement it. The Unix operating system has been doing this since the 1970s, so why is 37signals not doing it? Hard to tell.
In a posting in 2007, Jason Fried said that they planned to change this, but now it's 2009.
There's no excuse for this sort of lax security, if 37signals got hacked they'd have to bow their heads in shame in front of every single one of their customers and admit that their password had been stolen. Why take the risk?