Hi DevHC. Yes and No. The passwords are transmitted through the email system but in an encrypted way (using TLS). If you download your email through non-encrypted channels that is something you need to solve.
All the idea bout the “Show password” and the “Email me the password”
checkboxes is that optionally you can write down the password (in case you don’t trust your email provider). However if what blowFish said is true (about the password being sent without checking the option), I would need to fix that.
I think I wasn’t very clear about the lengthy passwords, so I will extend my explanation:
A 8-chars-long password (like: Rw168j3d) can be cracked in few hours . Imagine we allowed 8-chars passwords. Ckit said he can’t even remember his “short” password. If in Ckit’s idea, 8 characters passwords are easier to remember (than a lengthy phrase), it means he usually use more “easy-to-remember” passwords than the example above, like: “goodday8”, which are even faster to crack.
Its also true that many people recycle their passwords (maybe not you). So, if the server gets hacked (which happened just few months ago, as its a shared server), they can get your “universal” password and your email, and have automatically access into your email account. From there, they can access your FB, Twitter, Amazon, Netflix, etc. account and you will blame us.
That is why we are trying to persuade people to use social logins, so their passwords are protected by big companies who have the resources to do so. We don’t have such resources or time to warranty a 100% hacking-safe site. We do what we can.
If people don’t want to use such services, then at least we have to be sure it will be very hard for hackers to get the original passwords. If using a paraphrase is not easy enough, there is the option to use a local file to generate your password. Those files are never sent to the server and it works with google drive, dropbox, and so on, works in PCs or Mobiles. For example, you can draw a granger in paint, or use your favorite mp3, or you can generate a key and use that as your password. You just need to remember which file you used, easier than remember a password or phrase.
@DevHC: Not sure what you mean by “Public Key”. If what you mean is “client certification”, that is not a good alternative. Implementing such mechanism here would just make things (like administration) much more complicated. Please read here why client browsers certificates are not a good alternative. The installation of such certificates is not easy for everyone. There is only one way to easily install such certificates which involves the deprecated html element “keygen”. There is no plan to replace it, which leaves us with a complicated procedure.
Unfortunately I don’t have the time to improve the login/registration system. So if anyone here wants to take over and improve it, I can help.