SAP security

I ordered some software from SAP about five years ago. Today I needed to access the order data (long story) so I attempted to login to my account. I have my order number, so I used the “forgot password” function. I figured I’d receive an email with a link to reset my password, or possibly a temporary password I could use. Instead, I received this:

Dear Jeff Schroeder,

Thank you for contacting us on SAP.

The password you requested is: somepassword

Please ensure that no additional spaces are copied when using the ‘copy/paste’ function to enter your password.

Sincerely,
Customer Service

Note that somepassword was my actual password. They sent it in a plain-text email. This means they’re not hashing the password, and possibly not even encrypting it in their database. Rule number one of password security is to never have password data in a format where it can be recovered like this. For a supposedly “enterprise-level” company like SAP, this is shameful. I can’t believe in 2014, after all of the password breaches we’ve seen in just the last year, that there are companies who still do this.

Naughty, naughty, SAP.