Correct, but every site where you signup does that and I do not think anyone cares. Maybe such API will not be for end users but for other apps to run signup forms against it and help users choose a better one. In any case, the whole password deal is broken. I now use my own offline pwd generator for the "important" sites but I guess I am not the average Internet user.
Hopefully none, and hopefully they are all following best practices to protect your password, but you trust them regardless. Besides, who said plain text, such service could use ssl.
