JetBlue stores plaintext passwords — and emails them too! Ugh.

Posted by on Aug 11, 2011 in Uncategorized | 3 Comments

I recently had a bad experience flying (or trying to fly, I guess) JetBlue. When I called in to ask for a refund on my ticket, the customer service agent and her supervisor were very helpful and gave me a credit. This resulted in an automated email from JetBlue telling me that a TravelBank account had been created for me. It contained my TravelBank account number, my email and my plaintext password from my Jetblue account!!

As anyone who knows anything about computer security would know, you should never, ever store plaintext passwords in a database. Not even because you want to let people recover their passwords when they forget them. And never never send them via e-mail, an insecure medium.

I’ve always been disappointed with the quality of JetBlue’s website, but the fact that they have not even followed basic security procedures is really scary. This isn’t just academic, Reddit did something similar and then lost a copy of their DB, which gave hackers a long list of (email, password) pairs. Since many people use the same password all over the place, this is especially dangerous — having a very complex password may prevent hackers from figuring out your password from a hash, but is useless if they’re stored as plain text.

If any developer at JetBlue is reading this, you really need to do the following:

  1. Stop emailing passwords in the clear
  2. Start storing passwords using something secure, like PBKDF1 (RFC 2898)
  3. Please don’t use something like MD5 or SHA-128 for hashing passwords. Why? Read this thread.

I’ve changed my password and will avoid using JetBlue until they fix this.
This kind of thing really happens too often — in fact, just recently Pingdom was discovered to store passwords similarly, and was widely criticized. So let this be a good lesson — everyone should use different passwords for each different site, and we should just listen to XKCD’s advice about passwords.

Here’s the text of the email I received:

Thank you for choosing JetBlue and welcome to our new credit tool, Travel Bank.
Travel Bank is an online account that allows customers to manage their credits with JetBlue. It will replace the current vouchers and credit shells that may be familiar to you. For our TrueBlue members however, TrueBlue points will still be managed as a part of the TrueBlue account. For more detailed information regarding Travel Bank and your credits, click here.
A Travel Bank account has been created for you and transactions can be viewed online by clicking Here. 

Below you will find your account number and login information. Please keep this email as it is the only password notification you will receive. You will need to enter the following Travel Bank login ID and password when accessing your Travel Bank account online.

Travel Bank Account Number: YYYYYYYYYYYYY

Login ID: XXXXX

Password: XXXXX


3 Comments

  1. Evan Jones
    Sunday, 14 August 2011

    Westjet does the same thing as part of their frequent flyer program. Shameful. I wrote them a nasty customer service letter, but I don’t suspect that will do anything.

  2. Todd
    Wednesday, 7 September 2011

    I received the username and password of a different traveller (one who was traveling with me). In plaintext. Right, not my own password, but someone else’s! This seems really, really bad.

  3. VaNTa
    Monday, 28 May 2012

    The fact that you were sent a plain text password doesn’t mean that it’s stored this way in DB.

Leave a Reply