Fasthosts, “the UK’s number 1 web host” (by self acclamation I’m sure) is in the news today because apparently all of their customers’ passwords (in plaintext) were compromised by a security breach. They’ve asked all of their customers to change their passwords immediately, and of course since many people use the same passwords on multiple web sites, the breadth of this breach could be quite large.

I first heard about this on Brad Kingsley’s blog, and I have to share Brad’s thoughts on the one thing Fasthosts said that makes no sense whatsoever (and if you read the comments on the Register article you can see most people share this opinion). They claimed:

“Historically, Internet companies have rarely encrypted passwords to aid customer service”

Excuse me? I think “Internet companies” is a pretty broad term to be throwing around in the first place, but I don’t think hashing of passwords is all that new. And I’d say in the 21st century it’s pretty much a given that it’s a best practice and should be the rule, not the exception. So, I agree with Brad (and I’m happy that I’m hosting my applications with Orcsweb) that Fasthosts shouldn’t try and speak for anybody else, nor should they try and lessen their failure by trying to say “but everybody else is just as insecure” when plainly this is not so.