There are a lot of sites guilty of this, even those that should know better. In 2009, I lost my username to the Microsoft TechEd Africa site. So I phoned Microsoft South Africa's number for the event, and I was shocked when the chap at the other end read my password back to me!

It was a strong password that I used on a few other low-importance sites, but I immediately changed it on all of them.