Someone should create a third party certification program where they take a look at your password storage code, and if it uses industry best practices, you can display a badge on your site.
And what prevents me to create a simple page that redirects to plaintext on login if given an order after the audit. With NSL currently the situation is whatever lola wants, lola gets.
There's no need to; the password plaintext is available during the login process anyway. There's a difference between not storing it and not having it. All that would be required, really (assuming you don't want to store passwords, but are terribly, terribly concerned with the ability to extract a particular passwords under particular circumstances) is a conditional that shunts the plaintext somewhere before the login script/module dies. The login then continues as normal, but the bells and sirens go off and the plaintext password is available outside of the system. This, though, depends on user login after the fact, so to speak; turning over the hashes may mean more work for the interested authorities, but it won't depend on new logins.
This is more a voluntary procedure that gives the assurance that the company you're dealing with at least understands password security. It makes no guarantees that they still aren't trying to steal your password or otherwise have something to gain by stealing your password.
Most instances of plain-text or weak password hashing are due to incompetence or laziness, not malice.
