Hacker Newsnew | comments | show | ask | jobs | submit login

First of all: I didn't claim that (although, yes, maybe that kind of got implied). [1]

But I even think this practice is useless. They just sent my password in cleartext. It sits now in my inbox and I have to delete it or I store my unprotected password. And - for what exactly? Does that serve any purpose? I just entered it a second ago.

So I question the usefulness of that approach and consider this very first contact unprofessional. YMMV and all.

1: Just tried the 'Forgot my password' dance and it they don't retrieve it at least: Received mail with link to site which sends a mail with auto-generated password to log in. A bit weird, but well..

Deleting an email really isn't that onerous a task, but you are of course free to use whatever criteria you wish to judge a host.

And as you point out with the "forgotten password dance", access to your email account gives an attacker access to your hosting account anyway (although not stealthily).


Again, I didn't claim it is.

This was the very first contact. Sending me passwords (same for 'temporary ones' after a reset. I consider that a cumbersome process whereas I consider the initial mail just plain "wrong") delivers more than just the text over this channel.

I read between the lines "Here's your password again from 2 minutes ago. File it away" which again is nothing I consider a good idea. The impression is that they write the digital form of a post-it note of the password for my monitor.

Is it a big issue in itself? Nope, probably not. But it certainly ruined the first impression for me and I'll walk away now. I shared that part because others might (or might not) agree and to potentially save like-minded people a registration.


Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact