[fooyc]

I agree that from a security standpoint it's better not to send the password in plain text at all.

But then you can start listing non-HTTPS sites, too. You disclose your password in plaintext to many servers every time you login on those.

[jonahx]

Those should be listed too. I'm not sure I follow your point: Because there exists this other really bad but common practice, why are we harping on this bad practice?

[hackinthebochs]

Being overly concerned about having your email sniffed as its passed along internet peer is just misplaced anxiety. Anyone who can successfully sniff your password from your email in transit can already own if they chose to. The convenience factor of having your password emailed and having a record of it in many cases trumps this concern.

"But what if someone hacks your email, they know all your passwords!"

What if someone hacks your 1password account? It's the same exact scenario. Having a single point of failure that one can be extra vigilant with guarding is much better than the alternative of having a hundred unique passwords one must remember.

[jonahx]

Re: your 1password vs email point, while they might both be single points of failure, in practice one's email is usually more vulnerable. Boyfriends, girlfriends, friends, etc, have occasional or accidental access to email for whatever reason (Bosco!). Especially on a smartphone. This kind of thing is much less likely, though of course still possible, for password managers. I don't know about 1password in particular, but the one I use has a 15 minute of inactivity (or upon sleep) timeout before the master pw is required again. The iPhone version requires a pin any time it loses and regains focus. And you can customize the settings to alleviate pretty much any level of paranoia.

[fooyc]

My point is that if you feel that the email practice should be listed for the reason that it sends passwords in clear text over the network, then the equally bad practice of sending password over plain HTTP should be listed too.