I know this is beating a dead horse, but encrypting your user's passwords is one of the most important things you should be doing. Failing to do so shows a complete lack of respect for your users, and demonstrates that your site/service is probably not worth using.
There should be a list of companies/sites that don't encrypt passwords, so we know what services to avoid. That way, next time you use the Forgot Your Password feature and they email you your plaintext password, you can add them to the list to warn others.
Yeah, I suppose I should clarify. Instead of storing the plaintext or encrypted version of the password, they should store a hash of the password. Since, if/when the database gets compromised, it's even more difficult for the attacker to retrieve the passwords.
If the passwords are just encrypted, once the attacker figures out the algorithm, then all of the passwords will be compromised. A hash, on the other hand, would require each account password to be broken individually.
the thing that pisses me off most is... I sign up for some website and a few minutes later I get some email - hey welcome to site X your username is Y and your password is Z... WHAT THE FUCK
There should be a list of companies/sites that don't encrypt passwords, so we know what services to avoid. That way, next time you use the Forgot Your Password feature and they email you your plaintext password, you can add them to the list to warn others.