1. Create user on website.
2. Receives mail with username and password.
3. Changes password.
4. Receives mail with new password.
5. Delete account and look for another service.

That isnt insecure at all. Insecurity would be if you change pass, then took "Forgot pass" and your password was mailed in cleartext, which would indicate a non-hashed database.

One thing you could look on is if the service uses TLS for their mail. This you check by opening mail headers and then look for the Received: line corresponding for the traffic over the internet. If this contains anything about TLS, mail is secure.

@sebastian I think it might be a tad insecure. If he changes his password through the interface and the service emails him his new password he just entered, that probably means that they are storing his password in plaintext or encrypted, rather than using a one-way hash.

It seems odd that a service would send you your password in an email (which are usually not encrypted) after you changed it. I could see there being an email saying that the passwords was changed, but sending the plaintext password just seems careless. I want to meet the PM who approved that feature, then slap him upside the head.

@tytho If the plaintext password are mailed immediately following a change, the password email could be sent by the same script that hash and insert the pw in db.

However, if he changes password, and then do a "Forgot password" and get his password he just changed to (instead of a new pass or a password change link), then they are storing it in plaintext or with reversible encryption.

And actually, most emails today are actually encrypted:
https://google.com/transparencyrepo...