First, it's kind of a PITA to figure out where people hide the Change Your Password option. But okay. I'm building a repertoire of the various possibilities and getting faster. Also, some sites are very annoying about whether they allow nonalphanumeric characters (they either don't allow or require them). But yeah, whatever. Generally speaking, you have to confirm your password (_after_ producing it to log in in the first place) to change it, and then you have to enter it twice. Quora.com only requires it once, so that's something. And JewishGen doesn't require a password confirm. Then on top of that, JewishGen displays the password _in the clear_ after you change it AND it emails you your entire profile INCLUDING the in the clear password after, and there's no obvious way to make it not do so.
In good news, I've spent several minutes trying to imagine any way that anyone could cause me any amount of trouble if they hacked into JewishGen. And I'm coming up with absolutely nothing, which is in stark contrast to netflix. I canceled that a while ago, and I went over there to update the password (weak, duplicate AND they've updated their certificate so It Was Time and LastPass told me to). I keep trying to figure out how to delete my account (I think I have to call) or at least the last payment method used (can't even zero that out!!!). It's hard to see it being hugely problematic; the last four digits of a credit card are pretty easily accessible, altho I understand that people have used the last four as part of a social engineering hack to get more.
I'm remembering, once again, why I just couldn't be bothered to come up with unique, strong passwords for all of these sites. What is the point if they're just going to fricking email the thing to me?