.Mac foolishness

So I decided to increase the iDisk storage on my .Mac account, mostly because I’m using the password-protected Public folder to share a largish database with some friends, and mounting DAV volumes is easy, convenient, and doesn’t involve bandwidth that I pay for. The fact that it autosyncs to every Mac I use is just a bonus, of course.

The problem? The confirmation screen for buying upgrades to your .Mac account includes your plaintext password. Sure, it’s a secure web form, but this is a receipt, and I print out receipts for online purchases. I suspect other people do as well.

This transaction did not involve changing a password, adding a sub-account with a new password, or anything similar, so why is my password being printed out? More significantly, why is .Mac storing plaintext passwords in the first place? This is an old security mistake, and anyone designing a service on top of Unix should know better.

Update: a few days later, they decided to bump disk storage for everyone and cut the price of bumping it further. Unfortunately, they also bounced a lot of email for a day with bogus “over quota” errors.

Update: well, that’s at least useful. The standard .Mac account now has a total of 250MB of storage, which can be divided up between email and iDisk however you like. My upgrade to 200MB of iDisk storage is now to a total of 1GB, divided evenly by default. I quickly cranked the email storage down to 50MB and put the rest into the iDisk. You still can’t safely sync it when you’re on a wireless network (your .Mac password is sent in the clear for non-SSL WebDAV), but it’s still a handy tool.