I was just on the phone with Starwood hotels, and to verify my identity they wanted my web password. He clearly typed it in on the other end to make sure it was right. I've never been asked for a password over the phone. Giving it out just felt plain wrong.
Of course, I use the same junk password on piles of web sites I don't care about. It was my password at Red Hat when we had open telnet access. Hard to believe.
Guess I'll go change a few dozen web passwords today though. Thanks Starwood.