Hubski is using an outdated and insecure model of password recovery: if you lose your password, they send you an email with a new one in plain text. This is extremely insecure, especially because they don't force you to create a new password when you log in using the one they sent in a plain text email.

Best practice would be to send an email to the registered account with a link to a page where you must immediately change your password. That way, there is never a plain text password in play.

Also, it would be good to do email verification.


mk:

It's a good point. Add it to the list!


posted by Sage: 1168 days ago