Passwords in plaintext
The pre-Google version was so bad that you could find the email password stored in plaintext in the browser cache, so if anyone had access to the files on your computer then they could easily determine the webmail password with no additional tools needed. Classy.