Part of my current work deals heavily with web security, data security and the like. As part of that, I subscribe to a number of information lists, mail services etc.

I signed up to a new one today – one of the better regarded (and indeed recommended by another security auditing agency) ones.

What concerned me during the signup process was this :

You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext.

Seriously? Sending – and one assumes storing – a password in clear text is such a bad idea. It’s also a major no-no in every security list – including their own one. D’oh!

Obviously a case of “don’t do what we do, do what we say”.