> Anybody sending you back your password in clear text is also storing it that way in their database<p>Incredibly ignorant statement. If it's encrypted in a reversible format then it's not cleartext. If it's being sent in a confirmation email, then it could even be stored as a one-way hash: password extracted from the form, inserted into email, hashed and stored (This is what WordPress, for example, does).<p>A case can be made against both of those procedures, but that is a separate issue from his statement being ignorant.
The key is to just use a different password on every site by employing a special password structure.<p>For example, for HN, you can use:<p>orycPASSWORDy<p>[2 last letters][2 first letters][master password][1 first letter]<p>Good idea to mix and match numbers in the master password for added security. So for HN it can be: orycpassword1y<p>The good thing is that you only need to remember a single password for all your sites, yet they are all different. And if you ever forget a password, you can figure out what it was by simply looking at the url.
I don't think a boycott is the best way to proceed with this problem. For starters, I don't think you will get enough publicity to bring a boycott to critical mass. Secondly, I think it would be more useful and effective to send an email to the perpetrating website, inquiring or complaining about their password storage techniques. When customers/users complain, a good business will respond and attempt to resolve the problem.
I posted a similar screed about iPhone/Twitter apps that send passwords in the clear or with broken encryption a few days ago: <a href="http://scott.wolchok.org/plaintext.html" rel="nofollow">http://scott.wolchok.org/plaintext.html</a> (HN post at <a href="http://news.ycombinator.com/item?id=877460" rel="nofollow">http://news.ycombinator.com/item?id=877460</a>)<p>Not sure what is difference that made people care about this but not that, but open to enlightenment.
I am glad I am not the only one who feel sending passwords email is a bad thing:<p><a href="http://www.techconsumer.com/2008/02/11/bad-form-companies-still-sending-my-passwords-via-email/" rel="nofollow">http://www.techconsumer.com/2008/02/11/bad-form-companies-st...</a><p>Thank you tomfakes for the comment.