In reply to jase (msg # 8):
Also not criticising the site — it's fantastic, have been using it happily for years.
I've just noticed the same thing — an email sent to me with my password in open text. The site does appear to be using SSL now, though.
Are there any plans to change the password mechanisms along any of the following lines?
- Stop sending the password in the confirmation email — just acknowledge the change
- Implement multi-factor authentication (MFA)
- Email secure password reset link rather than password
I appreciate that you're working on this in your free time and that we're not really keeping sensitive information here, so while the risk of a breach is high, the impact is likely to be negligible.
Thanks!