I would like to add my two cents worth:
Transmitting passwords in clear-text is not considered a sound design practice in my neck of the woods.
In addition to the password reset case cited by Kerim Sidia, I've noticed two other instances when this happens:
Fortunately, the most blatant problem with these two instances is simple to fix: Just do not embed clear-text passwords in the HTML-returned. There is no reason to have it there. The user should know the right password, so he or she should fill in those fields themselves.
In addition: Like Kerim Sidia, I think that any page transferring passwords should be encrypted using SSL. It is true that Nabble itself (being a message board) may not be very sensitive (although with private forums, sensitivity is higher than with public forums). However, users that are active online are not rememberering hundereds of different passwords. Many users re-use passwords, and some use the same password for their Nabble account and for more sensitive accounts such as their bank or PayPal. While this is stupid on part of the user, it happens, and I think a first class service provider should take some measures to protect even stupid users against themselves.
HTTP is not a secure protocol. We know there are sniffers out there that watch for HTML with the string "password" embedded. Nabble's current design makes it trivial to steal passwords by means of such a sniffer.
If you choose not to fix this, on grounds that Nabble is not a sensitive service, there should at least be a warning on the registration page, alerting the user about the danger of re-using passwords. E.g.: "WARNING: Nabble do not treat your password securely. Please do not use a password that you might use for your bank account, Paypal or other important accounts."
| Free forum by Nabble | Edit this page |