Passwords
Why Plenty Of Fish Stores Passwords in Plain Text
When a user enters text in a password field and the browser turns that text into unrecognizable symbols, there is a subtle, unsaid contract being negotiated between the browser and the website on one side, and the user on the other. The user is agreeing to reveal a secret to the website and the browser, and by masking what she is typing, the browser (and the site) are telling her that it’s okay, her secret is safe with them.
Website owners have, time and again, proven themselves to be too irresponsible to enter into this contract. Most of them don’t, but some of them always will, store user passwords in plaintext. Most of them don’t, but some of them will, get hacked.
So my plea to the browser makers of our times is this: Please come up with a standard to perform a one-way hash of passwords with the site domain name (Or some other salt) before the bits ever reach a website. Or, please stop implying that passwords are in any way more secure than any other field on a site’s registration form, and stop masking them.