How Not to Handle Password Security

I tried to log in to a site I use (that will remain nameless — I’ve sent them an email about this) and found that my stored password was out of date. No idea why, but whatever. I clicked the “Forgot Password?” link. Here are the exact steps that followed:

1. The site presented a form asking for my email address and zip code. I typed them in and continued.
2. The site informed me that they had no security questions on file for me, and asked me to give them my second grade teacher’s name and my first pet. I typed them in and continued.
3. The site took me back to the initial form, asking for my email address and zip code. I typed them in and continued.
4. The site asked me to provide the answers to my security questions: my second grade teacher’s name and my first pet!? I typed them in and continued.
5. The site thanked me and asked me to provide a new password and confirm it!!!!???? I did, and I was in with a changed password.

They didn’t email me to reset my password, they let me do it right there on the site. The only thing they required to change my password was my email and zip code. They didn’t email me to let me know my password had been changed. They asked for answers to security questions that they didn’t already have, and then asked me for those very same answers only seconds later.

This is awful security.