I work for an educational organization and one of the web-based applications that we use to support external users is provided by a third-party vendor and this application sends username and password information via email. Sending that type of information via an insecure channel like email is bad enough; however, my concern is that in order to send the password, the vendor either (a) stores sensitive info, such as a password, in plaintext or (b) encrypts data but has the ability to decrypt it. IMHO, either method seems less than ideal.<p>Here's my question: I'd like to educate key internal users (technical laypeople) of the importance of this issue (in hopes that they will be more educated users and/or pressure the application vendor to improve its application), and I'm looking for suggestions on what approaches I might consider. I don't want to get into the technical nitty-gritty of hashing functions, rainbow tables, salting, etc. but I do feel it's important to give these users some background information and things to look for when they're using/evaluating web-based (or mobile) applications.