...Wow. When I reset my password through my browser so I could log into the site on my phone and tablet, the site sent me a cleartext copy of my new password. I'm glad I use Gmail with 2fa.

jase, can this be changed? I'm uncomfortable with my new password being emailed in a cleartext format. Are they stored on the server that way too?

Have you considered each time you logged in it was being passed clear text?  I had suggested even using a self signed cert if they didn't want to pay for a commercial cert.  (or investigating OpenCA)

Not to put to fine a point on it, but so what?  It's RPOL, not your bank.  So long as you aren't using a password here as the password on another site, what's the worst that will happen?  Someone gets your password and deletes some posts or posts garbage in your games?  You just change the password (or contact the Mods if the hacker changed it on you) and apologize to your GMs for anything the hacker may have posted that messed with the games.

In reply to Evil Empryss (msg # 3):

The "so what" attitude is shared by a lot of people online, actually, and is why most things online are created without giving a thought to security. (Not saying jase hasn't considered it, but he's only one person. I know that struggle.) You may think it's not a big deal, Evil Empryss, but a lot of security experts would disagree with you, specifically because so many people reuse passwords on multiple sites.

My point is that one should put their stress and resources where they do the most good or prevent the most harm.  Changing the password delivery system would be like insisting that there be a safe-sex squad making sure people are using protection to prevent STDs: more work for no more good or less harm than the current system is already providing and the result is likely to be fruiting annoying to all involved.

If someone is dumb or lazy enough in this day and age -- with all the media attention that has come from recent hacks into social media accounts -- to reuse a password from a game site on another site that might have something more important to protect, then the problem is the user, not the site.  Responsibility ultimately has to fall on those not following safe practices, and there's only so much anyone can do outside of education to stop people from being stupid.  It would be a waste of both jase's stress and resources to mess with a system that is already doing what it needs to be doing for the threat level this site operates under.

Besides, there are a ton of other items I'd like to see jase put effort into rather than something I can take care of myself. ^_^

This reminds me of when people finally broke internet security a while back... So yeah, good luck with password security. I wonder how that event resolved.

Well, just so you know for many people it's not their being lazy. It's a memory issue. Some people have memory flaws that make remembering more than one password at a time, impossible. So calling people lazy for something you don't necessarily know about is not the way to go with this issue. Just my own input, because while I have multiple passwords, because of meds I am on, it's getting harder and harder for me to remember multiple things let alone passwords. So I could in the end, end up becoming one of those people who use the same password for all sites just to make sure I don't keep getting locked out of things.

I use LastPass, personally.

And when people want to give me grief about it, I ask them which is more secure -- it, or all my passwords written out on a piece of paper and posted prominently beside my computer?

Because when more and more websites require a password that:

must contain 2 numbers
must contain 3 special characters
must contain 2 capital letters
at least 10 characters
no sequential numbers
no more than 2 sequential letters
not be a variation of your user name
not be a variation of any password you've used before
must be changed every 90 days

Oh, please.  It's not like I don't have 50+ accounts with passwords.

KeePass user, here. So I feel you, Shan. I have a blue million passwords for personal stuff, not counting all the passwords I keep up with for work because I am (basically) an IT admin. (I'm really the tech support specialist, but barring a couple of Finance apps and some backend reports that my boss does, he and I basically have the same job.)