Comment Re:Ask yourself (Score 1) 141
This times a lot. I'm not saying it's an ideal practice that this as-yet-unnamed vendor is doing, but I also don't view it as the end of the world either, particularly if no ultra-sensitive data is stored on the company's servers (i.e., credit card numbers, SSNs, etc.). In my eyes (admittedly not knowing all of the details), the biggest problem here may be that the vendor is storing passwords in plain text, which I can't quite fathom a reason for. At a bare minimum, they should be encrypted (which would not preclude the company from retrieving the clear text equivalent), but preferably hashed. You as a user may not be able to tell the difference between a company that stores passwords in plain text and one that actually e-mails them, but they're pretty close in levels of security, in my mind (and this is a very good reason for using a different password for every site, as has been suggested by many a Slashdotter).
There can be security benefit to a lost password procedure not involving e-mailing a password to a user though. The best ones I've seen e-mail a link back to the company's site containing some sort of token that proves you received the e-mail (at your registered address), and then prompt you to ask for the answers to one or more security questions that you configured when you first setup the account before you are prompted to enter/select a new password.
Security is a fundamentally hard problem, and while there have clearly been many SSL issues as of late, this is just not one of them.
There can be security benefit to a lost password procedure not involving e-mailing a password to a user though. The best ones I've seen e-mail a link back to the company's site containing some sort of token that proves you received the e-mail (at your registered address), and then prompt you to ask for the answers to one or more security questions that you configured when you first setup the account before you are prompted to enter/select a new password.
Security is a fundamentally hard problem, and while there have clearly been many SSL issues as of late, this is just not one of them.