If you have a Pandora account, I highly
recommend using a throwaway password for it (assuming you don't do so already).
Why? Because Pandora doesn't even one-way hash their passwords
. If your account is logged in on a computer, anyone who sits down at that computer can go and look up your password on Pandora's settings page.
Attached is an image that shows what that settings page looks like upon load - I haven't manually entered anything into the form fields and I don't use Chrome's auto-fill; the text in the fields is populated by Pandora.... including the plaintext of the password.
Things like this are why I wrote a blog post about how to do web app auth correctly
Thanks to +Dan Boger
for bringing this up.
Edit: Also just discovered that their password-reset tokens aren't single use. You can reset the password of an account multiple times with the same reset token link...
Also, since Pandora allows you to just change the password field and hit "Save", if you come across someone's logged-in computer, you can just change their password even if Pandora didn't tell you what it was. (The right way to do this is to require the user to enter their current password along with the new password, and pre-fill none of the fields.) #security #pandora