DISQUS

Well, the core problem is to use the same password everywhere. I realize that it's common to do so but you can't legitimately complain about e-mailed passwords if you are making the more fundamental security mistake first. Two wrongs don't make a right.

That said, the "correctness" of selected feature is a balance between benefit and risk. For most people e-mailed passwords offer a risk is lower than the convenience. The real issues are 1) risk and benefit are arbitrary and individually defined by the user, not the website creator and 2) no alternative risk/benefit choice is offered by the website creator. In the first case the problem space is ignored and in the second the solution space is ignored.

I've used websites where e-mailed passwords were *not* used for password recovery and the chosen alternative was so onerous compared to the value of what I was trying to get done that the *lack* that e-mailed passwords both incensed me and reduced the value of use the website to me.