[Ajkaz]

I'm wondering. Why would encrypting the password be any more worse than hashing ? If the private key of encryption is well kept, I don't see why they couldn't do that.

I understand though that no one being able to know the password except the user is utmost security, but why not encrypting it ?

[Kalium]

Long story short, an encrypted password can be decrypted. There is no reasonable scenario here under which this is preferable to a non-decryptable hash. This creates a scenario where the only possible outcomes that are added involve security breaches of password texts.

[gregatragenet3]

Presumably the application that accesses encrypted passwords in the database also has the decryption key close at hand. So if that application is compromised the attacker has access to both the encrypted data and the key to decrypt it. If the password is just stored hashed there is no way to directly decrypt it, you can only verify that a clear text string matches the hash. I'm not sure how relevant it is these days, it seems like there's enough CPU / GPU power that any password that's short enough to be practical can probably be cracked from it's hash quickly.

[GuthL]

Because they do not need it for the task at hand. Password security has clear best practices which are also simpler to implement than encryption. The very fact that someone can somehow read your password is a breach of privacy.

[tejasmanohar]

People reuse passwords. The mere possibility of someone being able to see it is bad.