Website doesn't allow password change

[WhatTheScooby]

I've just paid for a product with a large website. They have sent a password via email, which I then used to sign in. I looked to see where I could change the password, but no luck. Emailed, and they said I can't change it. If you press forget password, you just get emailed another one. My account contains address, email, phone number, child's name and school. If my email is hacked, the password is sitting there for someone to log on and see those details. I've never known a company to not allow a password change (in fact, don't they encourage it?). Am I over thinking this?

You're not.

20 years ago I suggested there should be an international standard for how personal details are transacted and stored. Things like encryption, password complexity and so on.

Worth reflecting on what's happened since. But here we are, 2025 and not only is the not such a thing. But still no one is suggesting it.

Thanks for your reply SerenipityJane. It's really perplexed me. This company is big, providing a service for parents across the country. I just can't believe I'm the first customer to see this as being a problem. Even the tiny local footie clubs website was set up to ask for a password change on first log in.

The underlying fact here is that once you press "enter", you have no idea whatsoever is happening to your data. Yes, you can look at all the nice AI-generated compliance blurb on the website. But you will notice none of them address the OPs issue.

Passwords should never be held, or transmitted in plaintext. Ideally they should always be hashed. And time-limited. But I can guarantee I'll be the only person here who thinks that should be a thing.

That's insane. It's also breaching PCI DSS requirements that they are obliged to follow if they're storing payment card data. If I were you I'd follow the GDPR right to erasure process to get them to delete all of your personal data and never use that site again because they clearly don't have a clue.

PCI-DSS doesn't mandate how customer passwords are stored, nor that the customer should be able to change them.

I would love to but I'm stuck between a rock and a hard place. They provide a service for the school that would put my ds at a disadvantage if he didn't have it. I will contact the school to let them know but I suspect not much can be done as I assume they have a contract with them to provide the service.

With the way the world is going, I so wish more people thought like you. It's frightening how easy it is for cyber criminals. Do you think there would be any regulating body I can report this to? I contacted ICO but they said it wasn't data protection (I assume they will only act if it's actually leaked?!)

If they can't prove the service they have chosen is secure, then it's on them when the leak happens.

Formally ask the school what due diligence they have done (they are a school. Those words will provoke a response). Possibly reminding them they they are the ones with the duty of care, and they don't get to point to a dodgy outfit and say "it's on them".

What terms are in place between the 3rd party and the school regarding the schools statutory obligation to ensure the safety of pupils and staff. How does it square with their safeguarding duties ?

And start with copying the board and the Local Authority in on it. It never hurts. The ICO would also be interested.

This isn't really a tech issue. It's a shit administration one. The IT angle is a red herring.

I've highlighted some choice words and phrases. Whilst communication by press release is painfully tacky, it's how things work at this level. If you can't beat 'em ...