Is mailboxforwarding.com Safe?

This is a great service but I cannot trust them because they've made it clear they do not encrypt passwords, nor really even know why it's important. Apparently tech support can see what my password is? What's stopping them from trying everyone's gmail passwords on their gmail accounts...or the hackers from doing that WHEN they steal their database. Directly from their "developer" via tech support: http://www.mailboxforwarding.com/support/ticket.php?track=TWD3W4U4PM&Refresh=68811 Ticket status: Waiting reply from staff [Close ticket] Created on: ***** 22:20:10 Last replier: Greg X Category: Technical Support Date: ***** 22:20:10 When I change my password to this: X#1.0IHW^c0Yf#u+X9^.3++U801p#? (30 characters) The password change program takes it no problem. But when I try to log back in with it I cannot. I presume you are limiting it to a certain number of characters...without telling the user. What is the maximum number of characters that I can use for a password and which special characters are allowed? Do you store passwords encrypted, or just hashed, or in plain text? Thank you, Date: ***** 16:38:05 Name: MailboxForwarding Support Greg: I wrote to the person who does the website and here is what he wrote (I figured since you asked, you probably know about programming): All fields in a database generally have length limits, and the limit for the password just happens to be 30 characters. He can use special characters too - in fact, I don’t think there’s any limitations even as far as even quotation marks/etc, since it will “comment” them out (meaning when reading and writing to the database, it will put a / in front of a few of those programming characters to tell the system that it really wants the character itself and it’s not trying to give a command). All user-input fields are “sanitized” before the data the user provides is written to the database. If I didn’t sanitize them first, then a smart user could use the change your name/address/password box to put a close parenthesis and then a line of their own SQL code and save it as their name, and when the system grabbed the contents of the field and stuck it in the middle of its code for updating that database record, it would cut my SQL update off early and then execute whatever code the person put in afterwards as code. Which means if they could also figure out or guess what I’ve named some stuff, they could erase the entire database by writing a few lines in as their name. But that’s why I always sanitize user input before just blindly plugging it in to the code as-written. That way, any quotations or other stuff in there gets escaped and still treated as text regardless of what character it is. And as a plus to that, users don’t have to be careful to avoid some of those characters as much as we do on the backend. Well, if you understand that better than I do, it may help you. When I looked at your account, I do see that you have inputted (is that a real word?) a password of your own making and the system does have it saved. I also see no reason why you should not be able to log in. Let me know if you continue to have problems. Support Date: ***** 20:44:42 Support, The developer's answer does not address my problem, but thankfully reveals more, bigger ones. When I changed my password to shorter than 30 characters it worked fine. Perhaps he/she is not counting the null character at the end of a string or something. But more concerning is the fact that YOU are able to view my password in plain text and that your company sends replacement passwords in plain text over email. That is an extraordinary security flaw. Your company will be just like all the others with massive data breaches when your database gets stolen and it's found out that passwords are stored in plain text. I guarantee 90% of the people at your site use that same password elsewhere. That fact that we're even having this conversation on an entirely unencrypted and unauthenticated session is cause enough for me to cancel my account right now.

I've been a customer of Mailbox Forwarding for about 2 years now, starting when my wife and I sold our home to retire to a life of full-time RV living (which means we'd have no permanent address, and plenty of businesses have issues dealing with that when their customer profile software requires entries under the "address", "city", "state", and "zip" fields). A physical mailbox wouldn't have done us much good, since we are rarely in the same state more than once every 4-5 months and can't just leave mail to pile up. This service has been phenomenal at allowing us to access all of our mail and read almost all of it through the online interface, and when we absolutely need something shipped to us, we can specify the address of the campground we're at and know we'll be at for the next 2-3 days, and they ship it there using the carrier speed we select (express if we're moving o soon and really need something, or cheaper options if we know we'll be staying a few more days). It's the missing link that most RVers could really use to free them from the one remaining location-specific bond of our modern age: the fixed postal address. So glad I found this option.