[NiekvdMaas]

It's not just domain registrars, I reset the password of my basecamphq.com account (which stores very confidential project information) last week, and received this email:

  Hi -name-,
  
  Can't remember your password? Don't worry about it — it happens. We can help.
  
  Username: -username-
  Password: -password in plain text-
  
  Please keep your password safe to prevent unauthorized access.

It blows my mind that even 37signals falls for this trap. There should be a website showing a blacklist of services that store passwords plaintext.

[alexmuller]

Not exactly a list, but: http://plaintextoffenders.com/

[robtoo]

As I'm sure you noticed, many of those sites are putting the password in the welcome/verification email, but this is not the same as actually storing it as plaintext in their database. The thing to look out for is your old password in password reset emails, not welcome emails.

And another one to add to the list: my brother's small business uses British Telecom for email hosting. Their control panel stores the password in plaintext.

[alinajaf]

> The thing to look out for is your old password in password reset emails, not welcome emails.

What's the use of encrypting your passwords when you're broadcasting them to every mail server between your and your customer?

[mcobrien]

I'm surprised you haven't been prompted to upgrade your account. 37signals switched to a new login system 18 months ago which doesn't store passwords in the clear. With a new login you get a regular password reset email.

[robtoo]

Why should basecamp even need to prompt the user to upgrade their account to the new login system? Why don't 37signals just do it?

[jermy]

Because the newer login system requires you to move away from having any easy to remember username (eg. someperson) that only needs to be unique on a particular Basecamp instance, to picking a harder to remember new username (eg. someperson5946) that needs to be unique everywhere.