Biz & IT —

Meet Greyhound.com, the site that doesn’t allow password changes

Greyhound allows four-digit PINs and stores them in plaintext.

Dan Goodin - May 1, 2017 5:28 pm UTC

Enlarge / This is what Greyhound.com e-mails you when you forget your password.

When it comes to websites with bad password policies, there's no shortage of bad actors. Sites—some operated by banks or other financial services—that allow eight- or even six-character passwords, sometimes even allowing letters to be entered in either upper- or lower-case? Yup. Sites that e-mail forgotten passwords in plaintext? Sadly, all the time. Ars largely stopped reporting on them because they're better covered by Twitter accounts like this one.

But recently, I saw a site policy so bad I couldn't stay quiet. It's Greyhound.com, a site that among other things lets people book bus travel and redeem rewards for past trips. The site allows passwords as short as four characters—including 1234. And when a user forgets a password, Greyhound.com will send the plaintext of the PIN or password in e-mail, an indication that the site isn't using any sort of cryptographic hashing to protect user passwords in the event that Greyhound's database is ever breached.

Worst of all: Greyhound.com provides no mechanism for changing a password. Ever. If an account is breached or a password is compromised, the account is stuck with that bad passcode indefinitely. Last week, I explained to a Greyhound spokeswoman why password hashing and password resets were crucial to security and asked if her company had any plans to add them to Greyhound.com. Her response:

"Per your inquiry regarding the website, this is on our roadmap to address, but at no time has a customer’s payment information been compromised when purchasing tickets on our website."

What Greyhound doesn't seem to understand is that many of its customers use the same password to protect multiple accounts. By storing passwords in plaintext, the bus service puts all of those accounts at risk. And the lack of any means to change passwords is just... breathtakingly negligent. Until Greyhound officials make basic security a priority, users should strongly consider deleting all data stored in their accounts and closing them the only way currently possible—by changing the e-mail address to a non-existent address such as formercustomer@example.com.

Listing image by ABC Photo Archives / Getty Images

Promoted Comments

Doop Smack-Fu Master, in training

jump to post

Would you consider doing a story on https://borrower.ecsi.net/ ?

Same thing, your password is an unchangeable 5-digit PIN that they email to you in plain-text. But your username is your SSN. And you can't get rid of your account until you pay off your student loans.

Fortunately they're not vulnerable to SQL injection, as far as I could tell. I really wanted to email them their entire list of SSNs / passwords.

4 posts | registered 8/3/2016
rabish12 Ars Praefectus

jump to post

Hat Monster wrote:
show nested quotes
Hat Monster wrote:
This article is mere alarmism unless it is shown that greyhound.com stores payment details or other sensitive information itself. It may use a third party to authenticate payments. We don't know, it isn't stated. It's important.

The fact of the matter is that people reuse passwords. So even if Greyhound doesn't store sensitive information behind the password, a breach of the database can be very damaging to these users because *other* services do store sensitive information.

Sure, you can argue that users should know better and use password managers and so forth. But this is not the case today, so Greyhound is indeed being irresponsible.

You're quite right, they do.

This isn't Greyhound's problem, however. It's a community problem. Greyhound's problem is how much of that data can be accessed by someone authenticating just with the username and password.

Dan didn't say. It's very important, and I want every downvoter to explain why it's not important to know how much personal data Greyhound exposes, and why it's okay for Dan to not reveal this.

This is a community problem and Greyhound's problem. The onus is on developers both to prevent exploitable flaws in their system's technical design and to do their best to protect users from their own stupidity. Greyhound's site currently does neither, and even the few details exposed in Dan's article would be enough to make them fail even the most basic kind of security audit.

It'd be nice to have more information if that information is available, but as it is, what's shown in the article is damning enough for anybody who has even a basic understanding of digital security.

6583 posts | registered 11/25/2009

Promoted Comments

Doop Smack-Fu Master, in training

jump to post

Would you consider doing a story on https://borrower.ecsi.net/ ?

Same thing, your password is an unchangeable 5-digit PIN that they email to you in plain-text. But your username is your SSN. And you can't get rid of your account until you pay off your student loans.

Fortunately they're not vulnerable to SQL injection, as far as I could tell. I really wanted to email them their entire list of SSNs / passwords.

4 posts | registered 8/3/2016
rabish12 Ars Praefectus

jump to post

Hat Monster wrote:
show nested quotes
Hat Monster wrote:
This article is mere alarmism unless it is shown that greyhound.com stores payment details or other sensitive information itself. It may use a third party to authenticate payments. We don't know, it isn't stated. It's important.

The fact of the matter is that people reuse passwords. So even if Greyhound doesn't store sensitive information behind the password, a breach of the database can be very damaging to these users because *other* services do store sensitive information.

Sure, you can argue that users should know better and use password managers and so forth. But this is not the case today, so Greyhound is indeed being irresponsible.

You're quite right, they do.

This isn't Greyhound's problem, however. It's a community problem. Greyhound's problem is how much of that data can be accessed by someone authenticating just with the username and password.

Dan didn't say. It's very important, and I want every downvoter to explain why it's not important to know how much personal data Greyhound exposes, and why it's okay for Dan to not reveal this.

This is a community problem and Greyhound's problem. The onus is on developers both to prevent exploitable flaws in their system's technical design and to do their best to protect users from their own stupidity. Greyhound's site currently does neither, and even the few details exposed in Dan's article would be enough to make them fail even the most basic kind of security audit.

It'd be nice to have more information if that information is available, but as it is, what's shown in the article is damning enough for anybody who has even a basic understanding of digital security.

6583 posts | registered 11/25/2009

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Further Reading

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica