|
|
|
|
|
|
by oneeyedpigeon
4374 days ago
|
|
|
Having the user send their password over a non-SSL connection when they choose it in the very first place is also less-than-perfect security. Having the user ever type in their full exact password is less-than perfect, because of key-loggers; when asked to choose a password the very first time, the system should ask how long it is, then ask for random characters from it until the whole thing has been supplied. OR, we should just accept that there's a whole magnitude of difference between sending a password by email on a single occasion, and storing it in plain-text, and focus on the latter problem first. |
|
|
Who does that? That's even worse than storing it in plain text on the backend.