I agree, what Mahalo is doing is NOT a best practice. Web sites should:
a) Never stored your password in the clear (just a hash of the password than can be used to verify login). b) Never send a password in email or display it on any web page. c) The user password should only ever be sent over an SSL (secure) connection when logging in (WiFi connections are too easy to sniff). d) Provide a "Reset Password" page so people can get a link sent to their email account to re-create a forgotten password.
The Wall Street Journal web site looks at the "referer" header to determine where the link the user is requesting came from (the previous web site). If it begins with "http://digg.com", then they show the page for free - even if it's part of the paid content.
It's a very week form of security that can be easily spoofed. It seems that the WSJ is pretty close to giving up on a subscribers only area.
