
Bad Form: Companies Still Send Passwords via Email - nreece
http://www.techconsumer.com/2008/02/11/bad-form-companies-still-sending-my-passwords-via-email/
======
bfioca
I'm going to lose karma points for this but I think this issue is really
mostly just paranoia. Can someone tell me what the likelihood is that someone
would sniff my password from the bits traveling in the series of tubes from
the server to whatever mail service I use is? For the record, I've worked on
an app that sent plaintext passwords because we thought it was useful to have
a record of the password you used to register with us. We changed it pretty
fast when a few disproportionately loud complaints came in, and nobody asked
for it back, and I totally feel like if it makes users more comfortable that
it's a good thing, but I still can't bring myself to consider plain text
passwords in email a big negative. Anyone agree or am I alone? :)

~~~
bayareaguy
In theory, it all depends on the public value of the stuff the password is
supposed to protect and the uniqueness of the password.

Unfortunately the general populace frequently uses the same password for
everything so if someone can get the password for their online suduku
preferences, there's a chance the same password will work other places.

You may not think that matters much, but you're probably doing some fraction
of your users a favor by not making things worse for them.

------
jgrahamc
If they can send it to you in email it means they are storing it as plain
text. That means that if their database gets breached all the passwords are
exposed. They should be storing a salted hash of the password.

Also, I don't agree that everyone uses the same password over and over. They
are nice bookmarklets that can generate per-site passwords. I actually
generate a new password for every site in my head.

~~~
bfioca
"If they can send it to you in email it means they are storing it as plain
text." That's not necessarily true - you can send it in the same request as
the form submit that accepts it.

