clock menu more-arrow no yes

Filed under:

My favorite football club doesn't care about protecting my password

New, 84 comments

Another case of weak security

I’m an Arsenal fan, and when I’m not busy tweeting my theories about the world you’ll find me on Twitter regularly commenting about football (soccer). Arsenal is one of the most successful clubs in English football — last year it was valued at £1.3 billion ($1.9 billion), making it the fifth most valuable association football club in the world. While Arsenal has some defensive issues on the pitch, it appears the club could also have some problems defending itself against hackers. I tried to reset my password at the club’s website yesterday and the end result left me shocked and angry. After emailing a support address (because the password reset form wasn't working) from an email address that’s not associated with my Arsenal account, I was told "your password starts with 19 and looks like it is one you made up yourself."

Wait, what. A customer services rep could see my password and then disclosed part of it to a random email address. My mind was blown, but then things went from bad to worse. I triggered the password reset option from the site eventually, and a password was sent in plain text straight into the email address associated with the account. After being told the first two letters of my password, the shock really hit home when I saw a password just sitting there in an email. Most sites force you to create a new password using a web form so that the result is stored in a database securely. Emailing passwords like this is a security no no, and really bad practice.

Most people reuse their password on multiple sites and services

100,000 Arsenal members could be affected if someone successfully breached the site, but the effects don’t just end there. Those 100,000 people could have their email accounts breached, Facebook accounts hacked, and even money stolen from their bank accounts because Arsenal.com was sloppy with security and password storage. That might sound a little illogical, but the problem is most people reuse the same password across multiple sites. It’s a human process designed to make passwords easier to remember, and it’s a tough problem for the industry to tackle.

"As you would expect, we take our ongoing technology security very seriously, and are currently in the process of an exhaustive security review," says Hywel Sloman, Arsenal’s IT director, in an email to The Verge. "This is the last issue outstanding and we expect it to be resolved soon. We have also reinforced our security policies with our customer service staff."

If Arsenal can afford to pay Alexis Sánchez £140,000 ($211,000) a week, it can afford to invest a little time and effort into protecting its customers and biggest fans. What worries me here is that a club as big as Arsenal has such weak security. You can imagine how smaller sites that people register with could contribute to the overall problem of huge databases of passwords being leaked online.

Always remember not to reuse your password and use a password manager if need be, because even though Arsenal plans to fix things there are always thousands of other sites that are equally reckless with your privacy.