[GoblinSlayer]

>And if no password databases are available, the attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site.

Some sites email your password to you: https://plaintextoffenders.com/

[Dylan16807]

With two important notes:

1) A site that emails you your password might not be storing it in plain text. They're similar but separate problems.

2) A site that sends you a login link could be just as bad as the sites listed here, if that login link doesn't expire (and you used a unique password). It's a more subtle way of having the same problem.

[Thorrez]

For 2, if it's a password that the user chose, the site should never email it, because the user likely reused that password across many sites, and someone who snoops on the user's email (say a housemate) can get the password to a ton of sites.

If it's a password generated by the site, then it's actually fine to email it. Although you likely don't want it too early in the email that it would show up in a phone notification or in a body summary in gmail.

[GoblinSlayer]

Many sites are wrongly listed there, like https://plaintextoffenders.com/post/629608281322733568/qnx-s...

[101008]

Honest question: If you send it on the email without storing (just sending appending the $password variable to the email body), what would be the problem?

[UncleMeat]

Some email is still sent unencrypted over the web so people snooping on traffic could see it.

[GoblinSlayer]

Not hypothetical https://plaintextoffenders.com/post/628974096028434433/movis...

[thedanbob]

Any mail server the email happens to pass through is able to read/log the entire content of the message.

[boomboomsubban]

It's sad to think that the list of 5801 sites probably only accounts for a couple percent of the total amount of offenders.