I may not be smart enough to join Mensa, but I am smart enough not to build websites like the American Mensa website.
Forget MENSA, MySpace does the same thing!
To Mark Tiefenbruck:
…
3. Generate a link containing the hash and some other information needed to log in. DO NOT generate a new password; otherwise, knowledge of a user’s account name and e-mail address can be used by others to harass the user (or even deny him service if he’s lost control of or access to his registered e-mail account).
I only would sent a link with a generated random guid. Only when this link is clicked, a new password could be created on the landing-page.
The link is only allowed to work once.
And only once in 24 hours such a mail could be generated.
ps: i feel jeff doesn’t have a clue what’s wrong there, but he wants us to give him ideas for his latest project for cheap 
Haven’t posted here an a while, but…
Isn’t it possible that the email some random ‘new’ password?
Well, I guess you tested for that. Either way, that isn’t so obvious based on the screen shot. It could be that they just have the wrong verbiage on the button
I am going to create a site the requires a username and password - and I will not only store that info in clear text, I will make all passwords accessible to everyone. I am going to use ColdFusion. I will use a hash on user profile create/update for the view.
You’ve all made me very angry pretending that these things matter so much. When in reality - anyone using the same password for such things as their financial matters, personal email, as they do on facebook - in my opinion, deserves to be shamed.
Take the advise of our host and use passphrases instead - and if you have an account on Mensa - I would suggest using the following phrase: User Not Found.
I dont see any mistake. I think the mistake is this post.
Even the smart people of MENSA will taka advantage of Card Space…it’s not only for mere mortal _
You can get to the page in Jeff’s screenshot by going to:
http://www.us.mensa.org//AM/Template.cfm?Section=Home
click Events
click Calendar
click the click here to log in (since it asks for log-in)
click forgot password on the login page.
see that the Event tab is highlighted? And in the sidebar Event and Calendar are bolded, just like in his screenshot.
As to what is wrong with this page. All assumptions about unencrypted passwords are not supported by concrete evidence. Unless you can show an email from them with at plain text password, you don’t really know. You can’t prove it. So let’s not go down that path.
I am very curious to know what is wrong with this page. Sometimes, it’s better to admit we don’t know if we can’t support our answer with absolute concrete evidence.
@df5, the grammar policeman. I think your time is better spent tracking down Bob Kaufman. He must be somewhere with Carmen Diego.
SO what is the answer?
American MENSA
Oxymoron ?
@Jeff Atwood,
I am not quite sure why did you pick this particular topic today. If it is really because of how Mensa goes about treating its members’ passwords… well, it is not that interesting. However, if you posted this blog to get a bunch of your readers to poke fun at Mensa, then, my friend, you have done well.
A society of people who can do well at certain kind of standardized tests … yes, they are asking to be ridiculed. On top of it all, there is actually a membership fee. What? Being a brilliant test taker is not enough? I say Roland Berrill and Dr. Lancelot Ware were a couple of hustlers.
Making fools of ourselves by making fun of an organization rather a society of brilliant test takers? No.
Apparently there are a lot of people here who are bitter about not being able to get into Mensa 
What if you’re an Americain Mensa member and you have changed your mail provider since you register with them 6 years ago ? No way to get your password !
Hey, I was billx@bigcorp.com and I’m now billx@hotmail.com, don’t you remember me ?? I scored 212 back then… Hey ? Help !
They should provide a Forgot your email ? button, I think.
Yes, lots of bitter people!
This blog entry can’t be serious. Being a member of Mensa doesn’t mean you excel in everything. OMG, there are some Mensa members out there who can’t code a website! Who knows if the person who made the website is a Mensa member? I’ll shut up know and get a life.
know-now.
As you can see, I’m not a member of Mensa either. But I’m not bitter!
Jeff,
a) on nowadays is common usage to strongly crypt passwords and optionally email addresses on database.
b) for password remembering processes is common usage (also nowadays) to check a security question then send a temporally link for password re-setting.
c) this kind of architecture seems to not to use sessions in user validations. instead it seems to use some kind of: Template/Section combination
http://www.us.mensa.org/AM/Template.cfm?Section=EventsTemplate=Calendar.cfm
d) just checked gmail.com and they say they send me instructions on my secondary email (which I never provided to them). now It seems I have to wait 24h ! for having a security question to ask available to me !!
http://mail.google.com/support/bin/answer.py?answer=46346
Teixi
Everyone seems to be missing what was blindingly obvious to me…
Know someones email address? Find out if they are in mensa…
Not particuarly… private.
So many websites are culprits of this.
Adam
Err… the email only goes to the address, and we don’t know enough to assume that the send password button gives any indication of success or not.
As for the encryption thing, I don’t get it. To send the password you just decrypt it, being able to send it doesn’t prove it isn’t encrypted.
I don’t see the problem here…
The design of the site is not co-MENSA-rate with the nature of the organization.