Whenever you come across a site that emails you your password

You should email the administrator with a message to that effect.

I have noticed that when as user tells the site that they have forgotten their password, that the site will send the password to their email address.

This is not good practice, when your data gets compromised (one day it will) every password will be there in plain text in the database.

This is bad as come users may use that email address and password combination on other sites.

You should look into SHA-2 hashing of passwords and salting.

And rather than send the password in an email you should send a reset key.

I know that the current specification for the site may have come from someone not as security conscious who thinks that sending a password is more user friendly (although it seems it) but it is a security flaw.

Comments are closed.