Here are some articles about password sniffing and real-world systems. Documented accounts of successful password sniff attacks do actually exist. (I’m not trying to pick on the OSS folks when it comes to poor password handling, but the two...

Why does the ASP.net administrative site send your plaintext password to you in email whenever you change it? This strikes me as a bad idea. For that matter, why doesn’t the ASP.net site use https on the page that allows you to change your password...