26 May
2015
26 May
'15
7:28 p.m.
On Tue, May 26, 2015 at 9:06 AM, John Levine <johnl@iecc.com> wrote:
If they do a reset, what difference does it make whether they send the password in plain text or as a one-time link? Either way, if a bad guy can read the mail, he can steal the account.
If they can e-mail you your existing password (*cough*Netgear*cough*), it means they are storing your credentials in the database un-encrypted. -A