A website storing a password in plain text means that your password is there, waiting for someone to come and take it. It doesn’t even matter if you’ve created the strongest possible password. It’s just there.
...We’re tired of websites abusing our trust and storing our passwords in plain text, exposing us to danger. Here we put these websites to shame.
That is possibly a libellous allegation. It is not necessarily true.
The password is not necessarily stored in plaintext, it may still be encrypted.
There's also a difference between (non-reversible) hashing, with or without salt, and (reversible) encryption.
Additionally, encrypted passwords are only better than plaintext passwords if an adversary that breaks into your database does/can not also get the encryption key. That's unlikely to be the case.
Very true, my mention of salts seems to have muddied things.
As for getting the key, I'm no Linux expert but in windows afaik SQL injection generally doesn't allow you to get to the machine key which is used for this type of encryption.
So it really depends on the attack vector on the likeliness of them having the key.
I also totally agree in this day and age everyone should be hashing, it's just too easy to leave an accidental hole and you should mitigate the consequences of a breach.
But I still stand by the idea that they're not necessarily storing the password in plaintext, which was all I was trying to say with my nitpick!
Just look at http://news.ycombinator.com/item?id=2343330. Tumblr has piles of money, and a misplaced 'i' still gave away all their passwords (fortunately, just their passwords for external APIs...) Keeping the source code secret is usually not security goal #1, and not needing to is a good idea.
Also, un-salted encrypted passwords are still bad. Just compare the top 10 most popular encryptions with a table of the top 10 most popular passwords.
I'll drop this, but please do hash your passwords with something sensible like bcrypt. ;-)
Still, you can have your passwords very securely stored in bcrypt AND mail the plain text out when the account is created. If your email isn't secure that should really be dealt with, and separately.
A website storing a password in plain text means that your password is there, waiting for someone to come and take it. It doesn’t even matter if you’ve created the strongest possible password. It’s just there.
...We’re tired of websites abusing our trust and storing our passwords in plain text, exposing us to danger. Here we put these websites to shame.
That is possibly a libellous allegation. It is not necessarily true.
The password is not necessarily stored in plaintext, it may still be encrypted.
The website owner does not understand encryption.
Understand my point now?