Facebook has just admitted that it has found many places – hundreds of millions of places, maybe – where it saved users’ passwords to disk in raw, unencrypted form.
In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as
379f1531753a7c43ab4f4faace212451, anyone looking at the stored data will see the actual password.
Just like that:
123456789, or that:
mypassword99, or that:
Plaintext passwords used to be the rule, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years, a bit like drink-driving has become not only illegal but also unacceptable on the road.
In other words, it used to be the norm; then it was the thing you only did if you thought you wouldn’t get caught; and today it’s something that gets the book thrown at you, given that it’s so easy to get it right and so risky to get it wrong.