Recently I started using stumbleupon. For those who don’t know this site I provide short description from their main page:
StumbleUpon discovers web sites based on your interests. Whether it’s a web page, photo or video, our personalized recommendation engine learns what you like, and brings you more.
It’s basically social networking site for link rating and exchange. It’s a nice way to discover yet unknown gems of the Interweb. Just stumble around
Here’s what sparked my interest. After registering with the site I received following email:
Discover new web sites
Thanks for joining StumbleUpon! Please click here
to verify your email address:
Here are your login save this information and
store it securely:
Password: MY PASSWORD IN CLEARTEXT
What the hell are they thinking? Sending cleartext password through email is not acceptable for quite a few years now, especially for large public websites. There are other options when users forget their password, for example:
- resetting password to random one that is usable only once,
- using control questions, i.e. “What was the name of your first pet?”. They are not very secure, but still better then cleartext passwords.
- lots of other options (google training for the readers )
Maybe they count on Stumbleupon being low-risk site, where losing account is not dangerous to your online identity. But they obviously forgot that most users use the same password over and over again. So their password for Stumbleupon will be the same as for their Gmail account, and that will be the same as xy other passwords. I am only fortunate that I stopped recycling passwords long time ago. Shame on you Stumbleupon!