This is just incredible; and it doesn’t come from some sort of deep research, white-hat hacking!
Hover.com – a former URL shortener service that became a domain registrar – openly admits to storing account passwords in unencrypted, plain text format!
Quoting from the Hover.com web site:
Password resets quickly became one of the top concerns people called us about. So, we changed the process. Rather than sending out instructions that would allow you securely reset your password, we would just send you your password.
[…] Most of the public discussion around this functionality focuses on whether or not storing passwords in plaintext is a security risk or not.
[…] We acknowledge that ours is not the most secure approach.
I don’t know about you, but some things aren’t meant to hover.
Never a URL shortener, but been a registrar since 1999 in the first round of new registrars. Also, the post you referred to was from April and was just an outline of the work that we were picking off in the coming months. We completed several security enhancements this week, including a move back to using bcrypt+salt for hashing passwords and offering some new security features including identity verification tools and an “auth-by-email” feature.