Why does the ASP.net administrative site send your plaintext password to you in email whenever you change it?  This strikes me as a bad idea.  For that matter, why doesn’t the ASP.net site use https on the page that allows you to change your password?  Your password is not very secure if the darn thing is floating around the internet and in random mail boxes - in plaintext.  Jeez!  Packets can be sniffed and most mail boxes can be read by an administrator (or whoever has access to the backup). 

 

Passwords are like an infectious disease.  You want to handle them carefully and avoid them whenever possible.  They are an essential part of modern applications, but many developers don’t respect how easily they can be compromised if mishandled.  Fear the evil password! Don’t ever write an app that tosses them around in plaintext!