I noticed that TeamSnap account notifications include passwords in clear text. This implies that passwords are not as encrypted on TeamSnap servers, and, therefore, systems can be compromised through unintentional or malicious acts.

Can TeamSnap confirm whether passwords are stored as encrypted, and if not, when that might be addressed?

This is being addressed right now and should be changed this week.

Thanks!

Andrew @ TeamSnap
Lead Developer

Thanks, Andrew.

There are other security issues that we’ve noticed since, and I’ve cited some below. The crux of the issue is that TeamSnap allows entry and storage of personal information, so all access and storage must be encrypted.

• All personal data must be stored in encrypted form.
• Once logged in, all pages should be transmitted through SSL.
• Sessions need to time out.
• Account passwords must be enforced as strong (examples: at least eight characters, mixed case, at least one digit, at least one symbol/punctuation mark, cannot include name, etc.)
• Passwords should be changed at least once every three months

I can tell you that we will be implementing some, but not all, of these suggestions when we launch the paid service.

Thanks :)

Andrew