linear a writes "I've noticed that quite a few web sites do *not* encrypt user passwords. I've gotten into the habit of hitting the "email me my password" from them to see what happens. So far I've found maybe 6 that must store passwords in clear since they were able to return the original password back to me. Clearly this is Bad Security Practice. Also, I've had notably bad progress when I ask them to fix this practice. Some of these are sites one would clearly expect to have better security (e.g., a software vendor and an online bank).
Do you have thoughts on how to better encourage better password practice at these places? Also, is this is really as common as it seems to be for me?"