I just got an email from Mercury Energy telling me my bills were now being sent to me online. They're already told me a couple of weeks back, so the email was pointless.
Of course I changed my password the first time I logged on. In this second welcome email they were kind enough to email me the password I chose. Since they can do this it suggest that either the password is stored in clear text. It's possible that they store it encrypted in the database then email it to you, but both are poor security practice. Storing the password hash is far preferable, if the user forgets their password a new one can be sent.
When I first tried to sign up to get my Mercury bills online on 26 July this year their website security certificate had expired. I think they've fixed it now, but here are the details of that one.
Details:
The certificate is only valid for the following names:
*.24hours.co.nz , 24hours.co.nz
The certificate expired on 14/01/2011 12:59 p.m.. The current time is 26/07/2011 1:55 p.m..
It looks like the certificate was expired for 5 months before I pointed it out and they fixed it. I have no idea what that 24hours domain is, but that's the message I got, I was on mercury.co.nz at the time.
Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.