So earlier someone wrote this
The whole “never store plaintext passwords” really means “never store more than you need.”
The sad truth is, that it doesn’t mean that.
1st, no system is absolutely secure. Any developer who tells you otherwise is either 1) an idiot, or 2) a damn big idiot.
2nd, for alot of people, emails are their life. With access to their email, one can do ALOT of things. For example, take over their lives. Storing their passwords that have a chance of being the same as their email ones is putting them at risk of losing control of their lives.
3rd, you should salt, then hash the passwords with something that is cryptographically secure, such that it is difficult to re-generate the password.
4th, we as developers (and tech founders) have to remember that
it is our responsibility as web developers to ensure that nobody, not even us, could get a clear-text version of the user’s password. (link)
With this in mind, we do not ever store passwords, no matter what the purpose of storing it is. And users will do well to remember not to give out passwords easily, not even to facebook to find your friends. And that, was the basis of my previous post on SGE.
If there are people who still cannot understand the seriousness of this issue, then I give up explaining. Feel free to throw your passwords around to all the web services. And good luck, when the service that you gave your passwords to finally gets hacked.
And for all those who
call themselves ‘Technical Founders’ because they mistakenly think that being able to write HTML and basic PHP is “I can write OMGWTFBBQ l33+ code, I know everything that is IT”
Good luck :)