Sometimes, when you see an odd behavior by a popular application, something that is either obviously wrong or not the standard way of doing things, you wonder if it was a conscious decision on the part of the developers, or simply something they had overlooked. I was puzzled by two such incidents recently, one from Hotmail and the other from WordPress.com.
I had not been using Hotmail for sometime and had forgotten my password. When I went to reset my password, one of the choices offered was to send the password reset instructions to the email address to which I had forgotten my password. I cannot understand under what circumstances would selecting that choice be a meaningful operation. This is like a locksmith telling you that he will drop the instructions for opening your house door through your chimney when you are locked out of your home and are standing outside.
I recently created a new cricket blog using WordPress.com. It seems that when you create a WordPress id, they send your username and cleartext password to you in email. This is a little unnerving, because most sites never send you their password or only send you a temporary password, that you are forced to change immediately at the next login. This is a security risk because someone (who can gain access to the email account) could easily view the password and use the account. If you only had reset instructions or a temporary password, you would know if someone used your account because they would also have to change your password.