[Campion]

All of that inconveniences users, and won't solve the problem described in the article:

hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text

Correct best-practice is not to store the password at all, but to store a "salted hash" of the password. That's why a correctly designed site will let you update your password, but can't tell you what your current password is -- they don't have it.

If you have to store a password -- you shouldn't, but if you did -- then it needs to be stored encrypted. Ditto for high-security data like SSNs, etc.

If there's a 99% cause of hacking, it's people running stuff they get as email attachments. For awhile, M$ Outlook even ran such stuff automatically! Talk about a security hole!

[cymbeline]

“If there’s a 99% cause of hacking, it’s people running stuff they get as email attachments.”

Maybe so. I’m not an expert. You’d think it would be possible at the administrative level to prohibit running any non-authorized program. I know that would be an inconvenience.

[Pollard]

Yeah, they’re not getting millions of passwords by hacking millions of personal computers. They’re hacking Yahoo, Apple etc who so kindly stores your passwords for you on their systems.

[zeugma]

Correct best-practice is not to store the password at all, but to store a "salted hash" of the password. That's why a correctly designed site will let you update your password, but can't tell you what your current password is -- they don't have it.

Yup. Any system that can send you a copy of your password is fundamentally broken and shouldn't be trusted.