When is it a good idea to store passwords in clear text?

Question

I am working on an application that is targetted at non technical users. I expect a large number of support calls regarding lost passwords and inability to login.

I am u

Answer 1

Never. The "nature of the application" doesn't matter. You should ask yourself what you think the benefits of storing it in clear text are. Do you expect tech support to pick up the phone and tell them their password? Or email it to them when they forget it? Those are never good ideas.

There's an established design pattern for passwords:

1. Hash them
2. Provide the user with a Forgot Password link
3. User enters the email address associated with their account
4. Reset link or temp generated password is emailed to their address
5. They are immediately prompted to specify a new password upon visiting the link or using the temp password.

That's the general overview and it's the expected approach. Other variations exist, such as providing security questions.