Strange Password Behavior on Hotmail and WordPress

by Krishna on January 16, 2009

Sometimes, when you see an odd behavior by a popular application, something that is either obviously wrong or not the standard way of doing things, you wonder if it was a conscious decision on the part of the developers, or simply something they had overlooked. I was puzzled by two such incidents recently, one from Hotmail and the other from WordPress.com.

I had not been using Hotmail for sometime and had forgotten my password. When I went to reset my password, one of the choices offered was to send the password reset instructions to the email address to which I had forgotten my password. I cannot understand under what circumstances would selecting that choice be a meaningful operation. This is like a locksmith telling you that he will drop the instructions for opening your house door through your chimney when you are locked out of your home and are standing outside.

hotmail

I recently created a new cricket blog using WordPress.com. It seems that when you create a WordPress id, they send your username and cleartext password to you in email. This is a little unnerving, because most sites never send you their password or only send you a temporary password, that you are forced to change immediately at the next login. This is a security risk because someone (who can gain access to the email account) could easily view the password and use the account. If you only had reset instructions or a temporary password, you would know if someone used your account because they would also have to change your password.

wordpress

{ 2 comments }

Abhilash January 16, 2009 at 11:21 am

Windows live recently got out of beta. I think MS could take a leaf out of Google’s book – keep the mail service in beta just like Gmail, which seems to be in perpetual beta. You can’t complain about beta products!!! 🙂

But let me try to be fair to MS: Did you give your own ID as your alternate email? (I tried that myself, it is not allowing me to do that, but that could be a recent fix)

Krishna Kumar January 16, 2009 at 11:43 am

No, I had a different email address as my alternate email address. So I was able to get my password. But I wonder why the option to send the password to the locked-out account is available.

Comments on this entry are closed.

Previous post:

Next post: