Comment 2 for bug 266821

The following major security issues also exist:

- If an email account is compromised, an attacker (or even an automated virus) can easily gather all passwords. This would *NOT* happen if no reminders were sent, nor would it happen if the classic "answer the security questions to receive a password reset form" strategy were used.

- Additionally, once the attacker has the dozens of passwords one might use for various mailman lists, the attack can attempt to use those passwords on other websites or computer systems (e.g. SSH) in automated attacks. The most basic attack would merely use the password, but more sophisticated attacks can use the passwords as seeds in an automated cracker.

> Mark Sapiro: "Are you aware of an attack that would enable this?"
- As the original poster wrote: the password reminders are in plaintext. As far as I know, aren't all email messages sent in plaintext that thus absolutely trivial to eavesdrop on? All the attack would need is a compromised relay on the internet, which I hear is getting more common these days. Just run one of the many network-traffic-monitoring programs and listen for the string "password".