Sara is one of the nicest affiliate managers I’ve ever known, and I’ve trusted Income Access for years.
I suspect that quite a few casinos, affiliate programs, and message boards store passwords “as is.” If you forget your password, it can be emailed to you, or (in the case of an online casino), the help desk might tell it to you on the phone after asking you a few security questions.
Ideally, passwords would be encrypted in a way that does not allow them to be seen or un-encrypted. Using “md5” or “sha1” on the password accomplishes this perfectly. Every time the user logs in, the password they type is transformed via md5 or sha1 into the encrypted version, which looks like a series of random letters and numbers. This “hash” is 32 characters long if md5 is used; 40 characters long if sha1 is used.
Only the user knows the password; it isn’t possible to email the password to the user, nor is it possible to tell it to them over the phone. If the user forgets the password, the only solution is to send a “new” randomly generated password to the user’s email address. The script that generates this new password also resets the password in the database, encrypting it with md5 or sha1. Nobody ever knows what the password is — except for the user, when he opens his email. Presumably the user is the only one who has access to the email account….
My point is — Income Access doesn’t deserve to be grilled here any more than PartnerLogic, 400 Affiliates, Casino Rewards, or even CAP (all chosen at random — I have no idea how passwords are stored at any of these sites).
The best thing to do (to protect yourself) is to use a different password for each account.
Income Access should be commended for taking steps to make their program even better than before. :thumbsup: