A password reset link should go out at the bare minimum. The original reason that sites stopped sending passwords out is that an attacker the got control of an email account now potentially has a password that may be reused elsewhere. Things like not allowing the last N passwords as well as complexity requirements are considered par for the course these days. | [reply] |
I don't think that's the original reason. It's more that email is an insecure medium in general. SMTP, POP3, IMAP, etc don't always use encrypted connections. It's becoming more common to encrypt them for the first hop and last hop, but end users have no control over the security of their message as it travels server-to-server. A man in the middle can easily inspect or even alter the contents of the message.
Sending passwords by email also has a worrying implication — it means that the site knows what your password is. Passwords should be hashed. A website shouldn't be able to send you your original password because it shouldn't know what your original password even is. Unix got rid of plain text passwords in 1973; this has been a well-known security principle for longer than many of us have been alive so there's really no excuse for still making this mistake.
(PS: for what it's worth, I don't think AnomalousMonk was disagreeing with you, just pointing out that "email XYZ via email" is a tautology.)
| [reply] |
In a plain, brown envelope. :-) | [reply] |