Nothing should be doing this. Insecure legacy systems that wrongfully expect to see the plaintext of the user's password should be replaced with properly functioning ones. But just because they haven't been yet is no excuse to actually give them the plaintext of the user's password.
