Quote Originally Posted by Recursion View Post
I meant if you're requesting your password and they send it in plaintext.

Also, I like the way you do it, but what if someone has a typo in their address and it goes to the wrong person? Their password is then out in the open, which is especially true for people who use the same one for everything.
That's a brilliant point. Websites always ask me to confirm my password when I'm signing up, but they very rarely ask me to confirm my email address.
(I just checked over some of my old work, I wasn't sure) I usually get my users to confirm their email address, but I can list at least 10 well known sites right now that send out passwords in plain text without confirming the email address.

Quote Originally Posted by N!ck View Post
If they're emailing it to you they have a blatant disregard for security. The only time a password for any worth-while service should traverse the internet in a non-hashed fashion is when you're either logging in or creating the password. Both of which should be done over SSL.

Although clearly most online banking passwords aren't hashed as they ask for specific letters :S.
I'm talking about the password creation anyway, so boom, but I know what you mean. I still like being emailed my plain text password though.
I was thinking about the banking thing the other day when I saw my mum log in to online banking with by using the third, fifth and seventh letter of her password, but that can still be secured just like a standard password by splitting it up into separate letters before it's encrypted, or possibly some super geeky way that I don't understand because I don't work for a bank.