There’s an interesting, if depressing, post over at hover.com about how feedback had fueled new features. One of these new features seems particularly ill-advised. Apparently some of their users weren’t able to remember their passwords so Hover Would send them a special link to reset it, a common and reasonably secure method of handling lost passwords. Unfortunately, the delicate flowers in their user base found this “confusing” and too hard to use. Hover responded by changing the process so that users would be emailed their passwords.
Consider what this means. First, the passwords are being sent in the clear so that there are several opportunities for compromise. Worse, it means that those passwords are not hashed at Hover. Indeed, they explicitly say that the passwords are stored in the clear. There is, I think, a very good chance that the Hover site will be attacked and those passwords and other information exposed. Right after that, the lawsuits will start. Does this make any sense?
Hover provides domain registry and related services so there is something of value to protect. Their Web site makes a point of stressing that they provide Whois privacy to keep contact information private so any lawsuits will surely point to an implied contract to keep this information safe. I just don’t understand what the folks at Hover are thinking. Sure, you want to make things easy for your customers—that’s one of their selling points—but sometimes you need to explain to them why the seemingly complex procedures you use are necessary for their protection. I don’t see how this ends well for Hover.