[Cryptography] Why is emailing me my password?

[Markus Wanner]

On 10/01/2013 10:26 PM, Kelly John Rose wrote:
> I think that's absurd to say that it gives a false sense of security. It
> only gives a sense of security if you didn't read the text when you
> entered the password in the first place.

Well, that applies to at least 90% of people for 90% the cases. Yes,
often enough including myself.

> It keeps people from doing mass unsubscribes trivially.

As I pointed out, there are other ways to achieve that, without the need
for a password. Or actually rather with one-time passwords, instead.

> If someone was targeting you, yes, they would be able to delete your
> subscription,

Sure. That's the case either way.

> but that would likely be true with little effort to begin
> with if you are of the type that doesn't read that your password is
> stored insecurely and sent in plain text when you enter it.

Let's compare apples to apples: even if you manage to actually read the
instructions, you actually have to do so, have to come up with a
throw-away-password, and remember it. For no additional safety compared
to one-time tokens.

The positive point I see for the web front-end is that people are more
used to it. And have a hard time reading instructions on emails and
hitting reply to send back a confirmation token. But your hypothesis is
that people do read instructions, so...

Regards

Markus Wanner