@Niels: Even with agreement on a one-time salt, that doesn’t mean they have to store it in plain text. They could apply the same technique to a hash.
I think the biggest issue, is that if you didn’t get your card yet, how do they have your e-mail address registered? Does that mean that if you never get your card you will just never be able to log in? Its not like there is a contact us link that you can explain your situation with.
they should never store passwords in plain text, or in any other way that makes it possible to be read in plain text (eg, encrypting). the password should be hashed (using salt) and stored in a database… to be able to access your account even though you forgot the password, they should create a new password on the fly (eg. 1n23asds), send that in the email, hash it and store it as the new password in the database.
The web site, like everything else in the national office of American Mensa, Limited, is operated by paid staff who are not members.
Mind you, many of them could be members, were it not for a rule disallowing it. But they operate mostly with off-the-shelf software and limited staff and funding. Just like a lot of you.
@Niels
Whatever you can do with plaintext password you can do the same with hashed versions also. right? Tell me if I am missing something.
in the case of hashed passwords, even if someone is eavesdropping only one password is lost. But if the database is in plaintext and the database is lost, everything is lost. Right?
I would never join an institution that would have me as a member. 
I think the point is that they should have the intelligence to become knowledgeable about the correct way of making a secure website.
@Ian: Excellent point, and one I was refraining from making to Niels. There are tons of far more secure solutions… but which of them are trivial enough to be worth bothering with, to protect the particular asset in question? Even the already-mentioned no-no of sending plain text passwords via email, often along with the corresponding user ID, is perfectly tolerable for some sites. How much do you want to invest in the site’s security, and how many hoops do you want to make the user jump through?
Seems to me there are (at least) three stages of security awareness:
- Ignorance: I don’t have anything to protect! Nobody would bother to attack me!
- Paranoia: OMG, there are h4x0rz! Lock everything down tight!
- Rationality: Don’t invest in a $100 lock to protect a $10 bike.
-Dave, life member, American Mensa
You’re all only half right. Not only is there a blatant security issue, they used TABLES in their markup.
TABLES! Burn them with fire!
Which is what I’ll have to do to Jeff, judging by his latest twitter!
The problem is hard to see until you go to the actual website, they used Cold Fusion!
Dave, about your point 3: You underestimate the value the passwords themselves have. Few people use different passwords for all their online accounts. I don’t believe for one second that Mensa members are any different. The lock might not be worth protecting a $10 bike but on the other hand don’t hand out the key if it also opens your high-security vault.
So, yes, storing passwords in plain text is always a problem, even if it’s only used to secure trivial content.
@OS / @Cybercat - You guys have it right.
Everyone: Look at what is highlighted on the top tabs and sidebar.
Events - Calendar
But you’re on the password reset page?
The funny part is that this is the Mensa website, so they’re supposed to be sooper smarrt.
I love this quote: I thought you were a member of MENSA, until you spelled it wrong.
But I actually disagree with that. There was a guy here at work who was actually a member, but he was the weirdest guy. Very quirky, very annoying, very bad speller.
This is not the real Mensa site, just a clever deceit to delude us into thinking that this Mensa thing is nothing but some kind of chess club for dorks. The actual Mensa site is rigorously secured, runs on UFO technology and is their discussion platform for the secret world government.
The message should say, check under your keyboard first. lol
NO CAPTCA
I think the first error is in spelling out to the user (or potential hacker) that the password was written out on a plain sheet of paper and mailed.
Some cheap social engineering could have them mail the password out to a new address. ‘I just moved. I work at this other institution now. etc.’
Or you could just dumpster dive.
The second error is saying that the stored password will be emailed to the stored address. If the email is compromised, that’s an issue. Another vector would be to sniff the traffic.
Lastly, sending the password. They should send a confirmation link which the user then clicks on. The page should log the time, their IP, and have them create a new password.
@Gareth
You honestly think that if someone can get a copy of your database, they won’t also get the key? It would be especially easy in this case since the password recovery page needs access to the key somehow.
@Aaron G:
Unless I’m sorely mistaken, the best attack on SHA-1 is 2^69 ops to find a collision. Seems just a bit safer to me than storing in plain text. Still, your point is well-taken – there’s no good reason not to use a hashing algorithm that is currently considered more secure.
I seriously think that high IQ programs ruin people. Suddenly they think they deserve everything and shouldn’t have to work and study anymore because they were gifted with high intelligence.
Yes, I was in one, and I have had to spend a large portion of my life learning that you still have to stick your nose in the dirt and work to get ahead (Of course, we all have to learn that).
I would have been better off without it. However, at the same time, it would have been nice if we had more accelerated regular classes. But those classes would simply reward those who moved quickly. They could get their by talent, or by studying hard, or by asking the right questions—it doesn’t really matter. Then I would have learned that working hard got me ahead, rather than thinking it was some kind of birthright.
Not everyone in such programs has this problem. Some of them are actually smart enough to realize early on that they aren’t actually that smart and not get all caught up in their own intelligence.
Anyway, that’s why those people are so quirky and weird and don’t bother doing anything the way they should—they believe they don’t have to, they are entitled to do as they please.
The decision to store raw passwords would typically be based on requirements for privacy. For instance, is there information associated with the user account that would be considered sensitive? Without knowing the properties associated with each account, it is difficult to say if this is a mistake. Does my online Mensa account exist only to manage my public user profile? If so, encrypting the passwords might be overkill for this appication, assuming budget limitations.
Adam hits the nail on the head in his comment above. This system is essentially a lookup tool to determine Mensa membership, with no CAPTCHA.