Website returning plaintext password

Quite obviously, if they can display your password, then they are storing your password somehow. They might cache your password on the client-side when you log in (for unjustifiable reasons, like session management), but more likely their password database is in clear text. Either way, it's stored and it should not be.

And it looks like they are running a upper() function on the password, which wipes out 26 characters from the potential character set that would have otherwise added some entropy.

This is very, very poor security on their part that has had no place for 2 decades.

The plaintext password is a gaping security issue.

  1. First, they shouldn't even know it. Passwords should be stored hashed and salted. Anyone who doesn't do that is an [censored by editors].
  2. Second, sending the password over the wire when not strictly necessary is a second huge security mistake.
  3. Third, including it in the webpage at this point only adds insult to injury.

That they throw out the case is harmless compared to that. It is actually something that can be a reasonable trade-off between security and usability. It might also be that they're using some ancient backend system that doesn't support upper/lowercase. I've seen that with mainframes. It should be written somewhere that passwords are case-insensitive, but honestly, compared to the first three strikes, this one is barely worth mentioning.

To be honest, we don't know.

They could store the password in plaintext, they could store it encrypted. Both would be quite desastrous. They could store it in the session (i.e. server-side) when you log in which would be somewhat less desastrous but still bad. They could even have you store it in a cookie (i.e. client-side) and then have the script showing the user profile insert it to the form, which would also still be bad.

Whatever it is, there is no good reason, or sane reason, or in fact any reason that I could imagine why one would need, or even want to keep the password around needlessly and longer than absolutely necessary. Or, why it would need to be in the form.

The longer you keep something that's secret around, no matter how safe or unsafe, the higher the likelihood that "something" may happen and secrets are not secret any more.

So... whatever it is, it's generally not a good pattern. How serious it really is, we cannot tell.

Same goes for uppercasing the password. We don't know what they're doing there. They might consider every password all-uppercase, which would be quite bad since it makes a brute-force attack approximately twice as effective. Though in the light of possibly storing plaintext passwords, that's kinda neglegible. Online brute-force attacks are unlikely and easily thwarted, and offline attacks, well... if the passwords are plaintext... you know. Who cares, at that point.

They might just uppercase it for that form so some "super smart" Javascript snippet will tell you "that's too similar" when changing password, whatever. We don't know. But again, whatever it is, it's no good.