ISACA's reply (paraphrased, emphasis is mine) is that the password management system will change with the next update to their web site and that users can choose to have a password hint displayed or whether they want to have their old password sent back to their email address on record.
My reply to ISACA's
The problem with being able to send one's old password back to them is that it implies the password is stored in a form that can be retrieved. This can be achieved by storing the password in plaintext in the database, or via some (often home-grown) reversible encryption (such as ROT-13, XOR, etc).Original post:
This also implies that people who maintain the DB (and possibly the site) can have access to that data. Of course, I expect ISACA to have procedures in place to review access privileges and log all access attempts. Still, I would rather know that my password is stored in a one-way hash that cannot be reversed.
In the current threat environment, best practices for web sites mandate that when a user has forgotten his/her password, a new one be created for them and sent to the address on record. It is disappointing to see a giant of security like ISACA.org not follow that advice with their own web site.