I’m not going to name any companies here but I recently cashed in an freebie. It was one of those introductory offers in which you get something for nothing and are then asked to sign up so you can use the (paid) service in future. As it happens, this piece of marketing worked and, having poked around the site for a bit, I decided I would create an account in order to order personalised presents in future.
So I opened KeePassX, generated a (very long, very random) password and pasted it into the sign-up form. This is where things started to go awry.
My sign-up password was rejected because it was too long. This is always a bit concerning. If a sign-up form tells you your password is too long, it’s a bit of a giveaway that they are not hashing passwords properly and are probably a bit ramshackle when it comes to security.
Still, they already have my address for the freebie so I shortened my password and pasted it in.
And then they emailed my (clearly unhashed) password back to me.
The company in question does not have my credit card details. This company will never have my credit card details.