[uulbiy]

It's not the same but there are other security issues. The server to server transfer of the email message might not be encrypted (it might be if both have TLS extensions enabled). So, emailing plain text passwords is always a bad idea even if it's not stored as such.

[fooyc]

I agree that from a security standpoint it's better not to send the password in plain text at all.

But then you can start listing non-HTTPS sites, too. You disclose your password in plaintext to many servers every time you login on those.

[jonahx]

Those should be listed too. I'm not sure I follow your point: Because there exists this other really bad but common practice, why are we harping on this bad practice?

[hackinthebochs]

Being overly concerned about having your email sniffed as its passed along internet peer is just misplaced anxiety. Anyone who can successfully sniff your password from your email in transit can already own if they chose to. The convenience factor of having your password emailed and having a record of it in many cases trumps this concern.

"But what if someone hacks your email, they know all your passwords!"

What if someone hacks your 1password account? It's the same exact scenario. Having a single point of failure that one can be extra vigilant with guarding is much better than the alternative of having a hundred unique passwords one must remember.

[jonahx]

Re: your 1password vs email point, while they might both be single points of failure, in practice one's email is usually more vulnerable. Boyfriends, girlfriends, friends, etc, have occasional or accidental access to email for whatever reason (Bosco!). Especially on a smartphone. This kind of thing is much less likely, though of course still possible, for password managers. I don't know about 1password in particular, but the one I use has a 15 minute of inactivity (or upon sleep) timeout before the master pw is required again. The iPhone version requires a pin any time it loses and regains focus. And you can customize the settings to alleviate pretty much any level of paranoia.

[fooyc]

My point is that if you feel that the email practice should be listed for the reason that it sends passwords in clear text over the network, then the equally bad practice of sending password over plain HTTP should be listed too.

[oneeyedpigeon]

Having the user send their password over a non-SSL connection when they choose it in the very first place is also less-than-perfect security. Having the user ever type in their full exact password is less-than perfect, because of key-loggers; when asked to choose a password the very first time, the system should ask how long it is, then ask for random characters from it until the whole thing has been supplied.

OR, we should just accept that there's a whole magnitude of difference between sending a password by email on a single occasion, and storing it in plain-text, and focus on the latter problem first.

[aianus]

> Having the user send their password over a non-SSL connection when they choose it in the very first place is also less-than-perfect security.

Who does that? That's even worse than storing it in plain text on the backend.

[oneeyedpigeon]

The first site [1] on the blog in question, for example.

[1] http://www.assosfactoryoutlet.com/customer/account/create/