- Click on the "I forgot my password" link.
- If they email you your password, you know they stored it in clear-text somewhere. You should complain. Sadly their first-tier support probably won't understand and will assure you that they take security seriously and you have nothing to fear. Oh well, at least you know and can choose to use a different company or at least use a password you aren't using anywhere else (which, you already do, right?)
- If they email you a code to reset your password or a temporary password, then either they stored a hash of the password (hopefully they did it right), or they're doing it wrong and their password-recovery system obscures this fact.
Every sysadmin should know how to properly store your users passwords in a database even if you aren't a programmer. It helps you evaluate services that you may use.
How to properly store passwords in a database:
- A short description.
- A longer explanation.
- A longer, detailed, tutorial that explains hashing and other concepts plus SQL code examples.
(This post was inspired this problem that was recently reported.)
It should be pointed out that if number one happens, it doesn't guarantee that they store it in clear text. It may mean that they store it with reversible encryption. Neither instance is very good, and either one should give cause for concern (there is *never* a need to decrypt the password)