Bad Form: Companies Still Send Passwords via Email

MahaloLet’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate.

So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.

This type of action, to me, is a sure sign of amateurs at work. In fact, it’s the lazy man approach for me to give (or take away) initial credibility to any company, startup or established: see how they handle the process of creating an online account.

So who gets picked on today? Search engine Mahalo, which is too bad, really, since they otherwise have plenty going for them. In their own words: “Mahalo is a human-powered search engine that creates organized, comprehensive, and spam free search results for the most popular search terms.”

It’s a fairly useful site and doesn’t require an account for much of what you can get out of it. But there are certain features and functions you do need an account for. So I signed up without hesitation and trusted the site subconsciously by using one of my “real” passwords. When I received the subsequent welcome email, there my password was, staring right back at me.

My only workaround to this all-too-common problem is to sign up with any new service with a token I-don’t-care-if-you-know-my-password password only to change it to a real password after a) I receive that initial “thanks for signing up, here’s your account info” email and see that the password was not included and b) find that I am interested in using the service for longer than just my first time of messing around.

But even then, I’ve seen some companies send out a “thank you for changing your password” update email which shows both your new and old password. (I’m not sure how Mahalo handles this; I haven’t gotten that far with them.)

What can make it even more of an eye roller is when the situation is thick with irony. I remember last year: An otherwise reputable affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!

Now, Jason Calacanis, the founder / CEO behind Mahalo seems like a reasonable guy. I’ve emailed him to ask for this to be changed (or an explanation). I can already give you the generic explanation I’ve heard before from other companies: “If you forget your password, you can just look it up in your email.” Here’s a better solution:

If I forget my password, I email support at mahalo.com (or whatever appropriate address) saying as much. Mahalo then should email me (only to the email registered in my account) a randomly generated temp password that only works for a limited amount of time. But it’s enough to get me into my account and allow me to change my password.

Is it a perfect solution? No. Just the first simple solution that comes to mind (that I’ve seen implemented elsewhere). There are other methods, too, like asking you for your mother’s maiden name / third grade teacher / favorite animal, etc. at the time of account creation. The site then asks you one of those questions if you’ve forgotten your password. Even then, though, it shouldn’t just let you in. Again, it should send a temp password to the email address on file.

I’m no security expert. But I do know that most any solution is better than automated open emailing of passwords.

*Update* Thanks to Jason Calacanis for responding (see comments below) and opening up for discussion via Twitter. For anyone interested, feel free to follow me on Twitter here.