[imsaar]

Incredibly educational comment. I stand corrected that it is not necessarily true that they would store it in clear text in the database but if someone is sending me password in clear text in email I would not give them a lot of benefit of doubt to do the right thing.

Besides, what is the utility of sending such an email. If certain software is open source and I can assure they are doing the right thing I will be much more comfortable.

[carbocation]

I store passwords as a hash in the database, but send it to the user in plaintext when they register. Why?

1. I didn't used to do this, but I got so many requests that I eventually caved. 2. No money changes hands on the site.

[imajes]

Without education, people won't learn. I'm a fan of thoughtful UX but, frankly.. this is an area where caving sucks. Sorry. I'd have spent the time improving my password recovery service.

[carbocation]

Hmm. Fair point. Maybe I'll reconsider sooner rather than later.