Why? Because Pandora doesn't even one-way hash their passwords. If your account is logged in on a computer, anyone who sits down at that computer can go and look up your password on Pandora's settings page.
Attached is an image that shows what that settings page looks like upon load - I haven't manually entered anything into the form fields and I don't use Chrome's auto-fill; the text in the fields is populated by Pandora.... including the plaintext of the password.
Things like this are why I wrote a blog post about how to do web app auth correctly:
Thanks to for bringing this up.
Edit: Also just discovered that their password-reset tokens aren't single use. You can reset the password of an account multiple times with the same reset token link...
Also, since Pandora allows you to just change the password field and hit "Save", if you come across someone's logged-in computer, you can just change their password even if Pandora didn't tell you what it was. (The right way to do this is to require the user to enter their current password along with the new password, and pre-fill none of the fields.)
- Software Engineer, present
What it takes to build great machine learning products - O'Reilly Radar
Specific insights into a problem and careful model design separate a machine learning system that doesn't work from one that people will act
Google+ is reportedly used by fifty quadzillion people - The Oatmeal
Comics: Random Most Popular All Cats Grammar Food Animals Tech. Google+ is reportedly used by fifty quadzillion people. This image is from.
Facebook’s Sheryl Sandberg Leaves Work at 5:30. Should You? | Healthland...
That Dolly Parton song in which she warbles about toiling from 9 to 5? As if. With the rise of the Internet, the ubiquity of the smartphone