Gyroscopic Investing

I just created an account at Goldmart, and they sent me an email containing my username and password, the password I entered into their website.  As a result, I don't really feel comfortable doing business with them.  Has anyone else had this experience?

It does not bother me. When I get such emails, such as from a "lost password reset" or the opening of a new account, I immediately go in and change the password.

I could not find the email they sent me when I first opened an account, but if it contained a password, I am sure I changed it to something randomly generated by KeepPass.

The point is, if they can send you your password, they store the password in cleartext somewhere rather than just its hash. Which means that someone with access to their computer systems--authorized or unauthorized--could get your login credentials.

Unfortunately, this is hardly rare.

Most merchant checkout systems do hash your password (with MD5) before storage. I would be surprised if they store it unencrypted, though there are quite a few exploits for MD5 - which is why you should use different passwords for different sites and not use the same password on a shopping site that you use for something like your bank account.

I personally don't like systems that email passwords in clear text as there are many ways to intercept that.  I would change the password online after getting an email like that.

The other thing to watch out for is to make sure it redirects you to a secure site (https://) when you log in (i.e like Amazon does).  In Goldmart's case it looks like it does this, but on many less secure sites (i.e. discussion forums like this) it does not, so your password is transmitted in clear text.  Another good reason not to share passwords across sites.

Overall I would not be any more concerned than ordering from another online merchant.  Any online order is subject to certain risks, but so is handing my credit card to a waitress when I pay for a meal (and they may have it for 10 minutes or more!).  Also in this case you are likely not paying with a credit card or storing your credit card online so it may be less risky than many other sites.

I remember one incident last year with G-oldmart where they told me that their website was down because it was hacked into by someone. So this might be a legitimate issue. Have you contacted them with your concerns? Overall, I've been satisfied with their service except for a waiting period to receive my order.

I have contacted them, but they don't seem to grasp what it is I'm asking.  I received a very quick response and they even reset my password for me, which is great, but didn't really address the issue.  So far I've been dealing with their sales support group...I'm not sure if they have a tech support group, but I will be asking to speak with them if they do.

My first thought was that there wouldn't be much to be gained by illegally accessing someone's Goldmart account. It's not like Amazon.com where you just point and click to buy some gold. I believe you have to present a valid credit card and obtain an authorization every time.

Then it occurred to me that you can find out how much gold somebody has purchased and where they live. Definitely not a good thing.