

Can you trust a site that sends you a welcome email with your password in it? - luxative

This is a pet peeve! When Jeff@xyzsite.com sends me a welcome mail with my username &#38; password mentioned in it, I have basic doubts about the site's security measures &#38; privacy policy. Especially when (foolish, I know) I've used the same password on half a dozen other sites. Am I being paranoid?
======
koeselitz
It's funny, because I don't think you're being paranoid - but note that almost
every site is in exactly the same boat on this. It doesn't really matter that
most of them don't send your username & password to you in an email; most of
them _do_ allow you to get your username and reset your password using only
email verification. So even if your username/password wasn't sent in an email,
someone who has access to your email can get them.

I think that's a risk, but it's hard to see another way to do it; people
forget passwords, unfortunately. It's a fact of life.

~~~
luxative
I think mentioning the username and email ID is a lot more preferable - and
safer. I'm not as concerned about my email getting hacked (in which case, I
have bigger problems) than my password being up there in plain text. Most of
us sign up for more things than we can remember individual passwords for; many
of us probably use a set of few passwords across sites - with our own rules
for what's used where. The fact that any person can assume a reasonable degree
of password reuse and try my password on (say) Gmail, etc is very disturbing.

------
pwg
While not a solution to the insecurity of the site you refer, you really
should check out Password Gorilla (<http://wiki.github.com/zdia/gorilla/>).
Using it you don't need to remember different site passwords, and you never
have to use the same password twice.

~~~
pasbesoin
> Password Gorilla is a Tcl/Tk application

is the bit I found interesting.

("pwg" -- is that you, Frank?)

~~~
pwg
No, Frank usually goes by fpx.

Why would you find that it is Tcl/Tk to be interesting?

------
antichaos
No, you are not paranoid because you reuse password on untrusted sites.

~~~
luxative
Don't most people? I have 6 passwords I normally use- with one for untrusted
sites, one for money related stuff, etc. Even though the damage is reduced if
someone lays their hand on my 'untrusted site password', it is nevertheless
disconcerting. Time to use Keepass or something similar, I guess.

