Facebook doesn't have paying customers. Also, most Facebook users access it for personal use. A lot of people access/use Dreamhost for business purposes. I'm sure there are a lot of PHBs that have access to Dreamhost accounts because they feel compelled to micromanage everything (or just PHBs that make the 'requirement' that the password is recoverable).

Along with the PHBs, we've also got a lot of plain old non-tech-savvy customers who just want to run their [personal blog / small business homepage / church web page / etc], and don't know, nor want to learn, too much about computers. Requiring them to use semi-strong passwords for FTP and email logins is enough of a challenge; requiring them to change those passwords every time they forget them is often a real hassle.

Personally, I think that when an account is setup the option should be a prominent one with an explanation of the security implications, as well as noting that you can only reset the password, but not recover it when it is hashed. Then the onus is on the customer since they made the choice when presented with information explaining the risks/rewards of the options. It's kind of 'passing the buck' in that a single employee at a company could choose the wrong option, then if the company ever complains you just point the that person (though indirectly, since you would only be replying that password hashing is an account option that was turned off).

Why don't they want to change their passwords when they forget them? Presumably the old password isn't much use anymore, since it's been forgotten.

But unless there's something I'm missing, I suspect I'm just preaching to the choir right now ;)

One or both of:

- They've forgotten the password, but it's still in the keychain (or equivalent) for their mail or FTP client, which will all stop working when they reset the password.

- The password is shared with other employees, and it might be difficult to notify them all of the new password.

(1) Fair enough, I suppose some keychains might make it difficult to recover the password.

(2) Why not just ask the other employees for the old password?

(1) Right -- and, even if it is possible to recover the password, walking a non-tech-savvy customer through the process may not be a palatable option, either for Support or for the customer.

(2) I wish I knew. Not really our place to ask, though.

I dont believe you can compare Facebook and Dreamhost, since users feel more entitled to demand features when they are parting with $.

When I made that comparison, I meant that dreamhost users are presumably more tech-savvy than facebook users, and facebook users don't seem to have a problem with the password reset structure.