That's A way. For a virtually costless good, this is just as fine a way that has a much smaller chance of capturing a password anyone gives a shit about

Look, my point is that for $35K, a newly-built commerce site should follow basic best practices. It isn't exactly hard to implement, esp. if you're worth $35K. It isn't about someone stealing my account info – it's about evaluating what he got for $35K.

I disagree that's a best practice for all cases.

For a commerce site that you will not use or necessarily maintain for years, a system where you don't ever get passwords that other people give you can certainly serve better than one where you do, as the logins are only useful for the content.

This could be more useful to him as his security matters less, as he has less valuable things stored in his site. It may also work better to lower support costs (as many people are pretty bad about keeping track of passwords), and this approach means they can just look at their email to start.

I agree for many cases (say, HN), that it is a good practice, but it's not gold in all cases.