Websites should stop using passwords for login!
Handing passwords on a web site is a very hard problem both from a technical standpoint (encryption, hashing, salting, ...) and from a user interface standpoint (validation, attack prevention, ...). Many major companies have failed to get it right and many continue to use policies and systems that are less than perfect. Furthermore, users are overloaded with too many passwords to remember that they invariably resort to writing them down or using the same password on multiple sites. In addition, many of these web sites are sites you rarely visit - maybe once a year to order new license tabs for your vehicle, or to update a credit card expiration date on your utility bill. Invariably for these infrequently visited sites it ends up being easier to ask for a password reset than it is to remember what your password was when you registered several years prior.
Email providers, meanwhile, are all moving to two-factor authentication which provides a much greater level of security.
Which begs the question ... should infrequently-visited web sites have passwords at all?
Instead of trying to keep up with the arms race of implementing secure password authentication with captchas, encrypted hashes, questions about pets and password resets, ... why not have a simple login form that asks only for their email address. They complete this one field, hit submit, the web site sends them a link with a single-use token that gets them into the site, they complete their business and logout.
With a scheme like this your website is invulnerable to having the password file stolen and cracked. If anyone does break in, all they get is a list of email addresses which will do them no good as each is likely with a provider who has the latest, greatest, two-factor authentication, intrusion detection and other security measures.