I am working on a project with another (really good) programmer who wants to store passwords in plain text with the argument that it is more convenient and want the buyers want, and that we must market to the buyers.
I of course, have argued this and tried to persuade him to switch, but I'm not good with words and can't bring up as many points as I need to without sounding all humble-jumbled and not knowing what I'm talking about.
Please, list the downsides and vulnerabilities of storing plain text passwords... without bad-mouthing the other programmer. He is a good guy. Also, please don't stray too far off topic, I'll be showing this to the other programmer.
Hopefully you guys can help me.
List
- Admin has access to raw passwords (could be bad admin)
- Many people use the same passwords for lots of other things (including sensitive data)
- If someone were to gain access to the server, they'd have no challenge getting the passwords and using them maliciously
Feel free to add on, or post your thoughts on how bad storing plain text passwords is.
EDIT| I should note that this application is not free, but the source code and database is available to buyers. Empty database every time.