As a protest vote against the Big 6 energy companies, I recently switched supplier to Cooperative Energy. Switching is painless, fill your details in online, click the button and off you go. They do of course want a password from you and I used LastPass to generate a unique one for me and memorise it.
Some time later, I went to login in to the customer portal just to see what I could do and was quite surprised to find my password didn’t work. I mentally shrugged and clicked on the Forgotten Password link and waited for the usual password reset email to arrive. I got this instead:
Dear Customer
The information you requested is…
eg!3fpp*hvfsIf you have any questions please contact our customer service team
(This is, of course, not my actual password, this is just an example that I’ll treat the same way as the Coop did.)
Here we have two immediate problems. The first is, of course, they have sent me my password in plain text in an email. We all know that’s a bad idea. Secondly, what they have sent is not actually my password. My password looks like this:
eg!3fP^P*hVFs
See what they did? For whatever reason the caret has been removed and all the letters have be converted to lower case thus making my password less secure. I sighed and went to change my password online and found I couldn’t. If I want to change my password then I have to go talk to a human to do so. This leads to problem three, which is that people generally pick stupid passwords and reuse them. I’m sure Coop Energy only employ wonderful honest people, but giving them an email address and a stupid password is only ever going to end badly for someone eventually.
I’ve spoken to Coop Energy’s customer service team and they acknowledge the problems I’ve found. Let’s hope, for the sake of a safer and more secure internet, they sort them out.