Marc Hedlund writes about the New York Times converting off of Qpass for their paid membership management system — but, in the process, they took an unfortunate shortcut which might expose its customers in ways they didn’t anticipate.
How hard would it have been for the New York Times to send random passwords to its premium users rather than easily guessable passwords? They were already sending a customized email to each subscriber, and they already had to write a password update system. Alternatively, they could have had each subscriber choose a new password for themselves the next time they logged in. The cost of doing things much more securely instead of insecurely would have been $0.00.