I was forced to change my password by 2degrees today - I didn't want to change it, so I set it to what it was.  My *browser* immediately told me no.  I thought this was very curious that my browser knew the current password, as I was not asked for it on the page (it wasn't JS saying if(old==new) alet('go away')).

So, I thought, I'll view the source, and search for my existing password.  And what do you know?  There it was, right there in the clear.   This got me thinking about one way hash functions and the like, and it occured to me that they had to be storing my password using (at best) reversible encryption, or worse yet, in the clear!

NB:  the page is SSL secured, but I don't think that's really good enough.

Might I suggest to people who wear tin hats that they not attempt to log in to 2degrees lest they have a password change foisted on them (and the accompanied $yourPasswordHere embedded)?