esperancaJS
commented
9 years ago ah! so that we don't reveal the potential password to other websites. Still..if anyone has access to the user's email they'll still be able to do what they want.. But I get how it can be scary. I think I'll just simply not show any password at all since it requires no extra development. This will be fixed with #43
I gave the password recovery system a try and it showed the old password. This should never happen as it is a security risk for the user.
What should happen instead is that the password is re-set to a randomized combination of numbers and letters, which then the user can use to login and change his password again.