So my boss booked me a spot at a conference about "the future of online payments" and I received an email with auto created account (there was no sign up) with a clear text password.

I'm feeling pretty confident that I can trust them to guide and advise me on best practices when it comes to handling sensitive information.

Capetonians Unite!

I just tried to access the site in that screenshot and got a certificate error... Loads of trust right now...

They probably also stored his card or whatever in their DB, to keep "track" og transactions...

remind me of the rant I saw earlier where the password was in plaintext + it is 'p@ssw0rd' XD

I am thinking of going just to get two days off work :P

well, being fair, it says it's temporary. probably not stored. you must change it

@vhoyer yeah but also to be fair they probably shouldn't take the liberty of taking a email address from a booking reference fo4lr an event and create a user account with it (probably to make their stats look better). Even if you get past that - temporary or not a cleartext password is bad news for a whole lot of reasons, it's far better to use a one time token.

While I agree that a one time token is best, there's nothing wrong with generating a pass, sending it in an email then saving the hashed version in the db.

Odds are you'll be prompted to change it aftet the first login too.