Password reminders or: How not to instill confidence

Please do not do this:

Password reminder email

Either send me a random string and tell me to change it once successfully logged in (not great), or send a link to allow me to save a new secret password.

Definitely do not let me believe that my password is being stored in plain text in a database (which is what this situation indicates), instead of being stored after the application of a one-way hash function with salting and stretching.

This entry was posted on 17 January 2011.