I find that many sites and organizations still, for some reason, don't hash their passwords.<p>For example, in this TED talk they were able to actually get all the passwords from a university to run their statistics program on:
http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd<p>So why? Why on earth would anyone NOT hash their passwords?
From a security perspective I can't think of a single reason to <i>not</i> hash.<p>Not hashing is like not brushing your teeth. There's no immediate repercussions but you're risking extreme pain and cost in the long run.<p>My guess as to why people don't hash is mostly inline with why people don't brush their teeth:<p>* Laziness<p>* Lacking a culture of health<p>* Ignorance<p>Laziness probably comes mostly from the developer side. A developer makes the wrong trade-off: faster launch today over long-term security. It's easier to write a program that emails the plain-text password to a user than to create a password-reset mechanism.<p>Lack of culture. An organization or a group of developers don't prioritize issues of security and long-term sustainability. They are stuck in an eternal day-to-day, short-term focus.<p>Ignorance. Management and decision makers that simply aren't aware of the dangers of non-hashing. Brushing & flossing your teeth is actually a very weird and non-natural behavior. Most kids need persistent years-long training to develop the habit. Like brushing, if decision makers haven't been educated about hashing they will probably only recognize the benefit after some unpleasant disaster (database breach, e.g. teeth start rotting & falling out).
Ignorance is the only reason I can think of.<p>I recall reading that reddit originally didn't hash them because Steve Huffman liked having his password emailed to him when he forgot, but I'm having trouble finding a source for that. It was one of his own comments on reddit I believe.
Okay, so I'm playing devil's advocate here:<p>One good reason is usability. Users are forgetting their passwords all the time and as buttscicles pointed out it is for a lot of people much easier to just get an email with their password instead of going through the whole set-a-new-password-flow. We actually tested that 8+ years ago and although I don't recall the exact numbers, sending the password lead to much higher login rates than creating a new password. And I really mean _much_ higher.<p>Plus from a security perspective it's always better to secure the access to the DB instead of trying to minimize the damage. And btw the still common (unsalted) MD5 hashing of passwords is barely better than plain passwords.