Today I accidentally double-posted a reply in a forum and no warning arose - I remember there was a nifty warning telling "It appears you already posted an answer with the same content", but it didn't trigger that time.
You see, often when I click on send my finger bounces sligthly on the mouse button causing two clicks in rapid sequence, and that warning prevented quite a number of such occurrences.
I haven't been on this site in a while, so I forgot my password. I clicked the link, and The Code Project sent me my password in clear text in an email.
I would think that a site that specializes in advice for coders would know better than to store passwords using reversible encryption or send them in clear text.
It's a sad state of affairs, but many people use the same password across multiple sites. By keeping users passwords in the clear, your site is a tempting target for hackers, and if they do compromise your database, then thousands of passwords will be exposed.
In this day and age, the state of your security is inexcusable. Please fix this immediately. Your reputation is already tarnished - no serious software engineer would allow this glaring flaw to make it into production. Please take action before more than your reputation is at stake.
The password you received is a temporary one. Only valid for 1hour.
When you log in with that temporary password it becomes your permanent password (until you change it again).
This is very clearly stated on the screen after submitting the 'forgot my password'.
Please note: The temporary password that was sent will expire in 1hr. Your existing password (should you remember it) will remain valid until you update it. If you log in with your temporary password, your existing password will be updated to be the temporary password you entered.
send the encrypted password instead of the one in clear text in the email
How would that work?
If they sent you the password hash, you'd have no way to determine what the password was, and no way to log in.
If they changed everything to used reversible encryption - which would be a terrible idea! - and sent you the encrypted password, they'd also have to send you the encryption key so that you could decrypt the password. Making the encryption key public would defeat the whole purpose of encrypting the passwords.
Sending a temporary, randomly-generated, time-limited password to your registered email address is the only sensible way to handle a forgotten password.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Christ! are we having a bad day? Really though you should think a bit more before making such ignorant remarks. The last three sections were completely unnecessary.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle