Today I took and passed the CompTIA Security+ 2008 exam. I don’t see a lot of value in these certifications, but it was a requirement for work, and my employer paid for the exam, so that was all fine.
Anyway, this post is about the security practices of CompTIA, the organization that thinks it’s competent to judge my knowledge of security practices.
When I registered for an account on CompTIA’s website a few weeks ago, I received a confirmation email which contained my new account’s password in cleartext. It wasn’t a randomly generated change-on-first-use password—it was the real password that I selected when I created the account. I’m being tested on rainbow tables, and they’re emailing me my password?! It makes me suspect that they’re storing plaintext passwords in their database, too.
It’s like showing up for your driver’s license exam, and seeing your examiner drive up with a beer in his hand.