Many websites have some mechanism to change your password if you forget it. Typically you click a “Forgot your password?” link, then enter your email address. The site then sends you an email containing a time-limited link to a page where you can enter a new password. Pretty standard stuff.
Why don’t they just email you your current password? Because it’s considered really bad practice. Security-wise, it’s roughly equivalent to sending a postcard through regular physical mail – as it gets passed along, people can read the contents of it if they want to. You wouldn’t want someone to scribble your password on a postcard! The other reason is that if they’re able to email your password in plain text, it means they’ve probably stored it in plain text (or at best stored it in encrypted form, but in using reversible encryption).
And yet… even if you would never email passwords yourself, some sites will happily email you your current password in plain text form if you tell them you’ve forgotten it. Typically this happens with smaller sites that apparently don’t know much about security.
But it also happens with some fairly well-known ones. Here’s one, from the Singapore branch of job site Monster.com. As a publicly-listed company (NYSE:MWW) with a market-cap of $600M, you’d think they’d know better.
So what to do? Ideally, use a different password for every site. If that’s too much, at the very least, don’t reuse any important passwords, e.g. if you’re signing up for an account at some tiny online retailer, don’t use the same password that you use for your bank account.
Besides protecting yourself, dropping a note to offending websites might encourage them to improve their password security. And finally, public naming and shaming might help, via Facebook, blog posts & comments, or submitting to sites like Plain Text Offenders (which I just found today).
Use LastPass and unique random passwords for every website