Why are plain text passwords bad, and how do I convince my boss that his treasured websites are in jeopardy?

Question

I\'ve always been of the impression that storing passwords in a database as plain text is (as someone else here put it) a Very Bad Thing™.

Historically, most of our

Answer 1

You may wish to point out that failure to properly secure the accounts could be exposing the company to legal liability if the information were ever compromised. Ignoring a known vulnerability could wind up costing you in legal fees if a user's data was exposed as a result of your company's actions (or inaction, as the case may be).

In the United States, there are certain types of data, such as financial and medical information, that companies are legally bound to keep secure and private. Failure to do so can have serious consequences. I'm not familiar with other countries' laws in this regard, but it's something worth looking into if your company is dealing with such data.