So I wrote a letter to the FCPS technical support line, explaining the problem, and why it’s a bad idea to send passwords instead of a link. (In brief, because (1) if the site can send the password, that means they’re not storing it in a one-way hashed form as is best practice, (2) many people use the same password for multiple sites so any compromise of the site containing the password could compromise the user on multiple sites, and (3) email is insecure.) I got back a pleasant reply saying they would investigate, and after a few days was told that the problem was in Blackboard’s product, and they would follow up with Blackboard. It’s not the most critical security problem, but since site compromise causing password theft is a common source of identity theft, it’s an important problem to solve promptly.

Feeling that I, as a security professional, probably knew more about how to make this work than FCPS, I contacted Steve Feldman, the Vice President of Performance and Security Engineering at Blackboard (whom I found with LinkedIn. I explained to Feldman why storing and sending passwords is a problem, and asked him to investigate. Feldman responded promptly, understood the problem, and forwarded me to one of his lieutenants with the title “Director, Security, Blackboard Learn”, who also promised to investigate and respond promptly, and forwarded me to someone in technical support for Blackboard Connect, which I assume is a different product. And that’s where things went downhill. […]

Continues at What happens when responsible disclosure fails?.