Why are plain text passwords bad, and how do I convince my boss that his treasured websites are in jeopardy?

Question

I\'ve always been of the impression that storing passwords in a database as plain text is (as someone else here put it) a Very Bad Thing™.

Historically, most of our

Answer 1

Plaintext passwords are not permitted if your organization maintains PCI-DSS compliance (e.g. a merchant who accepts credit cards). See PCI DSS item 8.4.

Plaintext passwords are not permitted if your organization is a financial institution that is insured by the FDIC (see FDIC FIL 69 2001).

Passwords should be encrypted both in transit and at rest, if you wish to achieve ISO/IEC 27001 certification, e.g. if you work with certain government agencies.