I am a member of another forum and forgot my password, so I clicked the "Forgot password" link and was told "fill this form out and we'll send you your lost password" or words to that effect. It occurred to me that I had never seen language like this and I figured that this was bad security. Normally you are sent a link to RESET your password. You are NOT sent your OLD password that you forgot. I've never been responsible for authenticating user's passwords, but my understanding is that you are not supposed to store the password on the server side, you are supposed to store a HASH of the password (or some salted version of it?), not the password itself, and thus they should not be able to give me back my password. If they can send me my password back, then they must have saved my password or are using a bad hash function, correct? Additionally, even if they could send me back my password, wouldn't they want to force me to change it because it may no longer be secure on my end? Why take that chance?
Just wanted to know if my understanding of this is correct and this is bad security policy on their end. I never actually filled out the form since I remembered my password before I started filling the form out and hitting "Send".