

Ask HN: Emailing users their passwords outdated? - coryl

Hey guys, wondering what your thoughts are on emailing a user their password, upon registration for example. A lot of sites still send you a record of your username/password when you register. It feels like an outdated practice and a security flaw because of changes to the way we use email.<p>I recently had my Gmail compromised, and like most people, having all the space I need means I never need to delete anything which is convenient but also a security risk. I wondered what would happen if they downloaded my entire inbox and sorted through all emails with the text "password" in it. I'd have a lot of accounts on different services exposed.<p>Thoughts?
======
smallblacksun
It's always been a bad idea. The server should not be storing your password in
plaintext, let alone transmitting it over email.

------
jodrellblank
Send a one-shot link which logs them in.

Optionally, takes them to the 'change password' area with no need to enter the
previous password, this time.

Yes, don't store or send passwords.

