I just received a newsletter from a social network site (brijj.com) and was surprised how they had embedded my username and password in clear text. It speaks volumes on how seriously they take security. I think when storing passwords all sites should go by few rules:

  • Do not store passwords in cleartext. Never ever.
  • Use any encryption technology, preferable a 1-way hash so that nobody can decipher the password.
  • If you break the above rules, which several sites do, at least do not send out passwords in emails without being asked for. That’s the worst you can do.

Everyone should realize that people tend to use same passwords for several sites and accounts so sending out passwords in clear text not only compromises the user’s account at your site but possibly at other places as well.