6 upvotes, 0 direct replies (showing 0)
View submission: Reddit's Streak of Bad Luck Continues...
First of all, thanks for letting us know right away.
I'm going to disagree with those who say that storing unencrypted passwords was a bad design decision. Access credentials are a mutual decision (I pick my username/password, you store them), so it is up to both of us to decide how important it is that someone can't pose as me or access my data on this particular website. If I'm particularly worried about these things, I'll pick a password that is hard to break, and ask you about how you store passwords. If I'm not particularly worried, I'll just use a different password than the sites I *am* worried about people breaking into.
Your part of the bargain is that you store passwords as securely as you deem necessary to keep people from breaking in, weighing against that the convenience of other features such as password-emailing. You've done that. I would argue, however, that it would be nice to let us know somehow how seriously you weighed our account security in your design. While it could be argued that revealing the fact that passwords are unencrypted provides a bigger target, that's really only a security-through-obscurity model (at least for the password data), and not very convincing.
There's nothing here!