Why Do Websites Still Have Such Bad Security?

While going through my password database and giving all of my old entries a refresh I was shocked to notice the password change email that I received from the Where’s George website (remember them?) contained my new password in plain text.  Good thing I used a site specific email address and password for them!  (When is the last time I logged into their site, anyhow?)

So, it got me to wondering… did they just send it back to me in a plain text email (a sin), or are they storing it in an unencrypted form as well (an even bigger sin)?  So, I went to their site and followed the forgotten password link, and sure enough they sent me my password again, in plain text:

Seriously?  That’s a major security snafu!  I thought that sites had gotten past that ages ago!

With so many cross-site breaches in the news these days they really should move into the 2000s.  Too bad my feedback e-mail bounced back and they probably won’t be answering.

EDIT:  To their credit, they did answer my feedback with:  “yes, we’re working on changing that.”