[theboss]

Oh yeah. It's impossible to know who has your plaintext password on the backend (even steam who RSA encrypts your pw with a public key before sending), but this certainly is a bad practice and certainly makes it look like they do not have robust security practices.

[Istof]

If you use the "forget password" link and receive your old password by email, then they more then likely have your plain-text password unless they crack it on the fly?

[couchand]

If you receive your old password then yes, they do have it stored in plaintext. Usually these days forgotten password pages just ask you to create a new one, but if they don't that's a sure sign.

[gabriel34]

Not so sure; it could still be encrypted (also bad practice)

Still, if you receive your password back, that is a giant red sign screaming insecurity

[growupkids]

Or too many end users that forget their passwords. Never underestimate the costs of supporting password resets for nontechnical users.

[vacri]

This is a sentiment often missed by the security community. Good security is good to have, but if it makes the service unusable, it's worthless. And when it comes to the general public, that's a low bar set. Banking PIN codes are laughably poor security, but in general they do quite a reasonable job - people get their banking done, and the banks haven't collapsed in a heap due to PIN-based security violations.

This being said, the banks are also in the unusual position of being able to effectively insure themselves against relatively small losses (to them) in order to keep confidence in their business high.