[folkrav]

It's a matter of storing it in plaintext or not, which any sane developer knows not to. The codebase will always have access to your plaintext password at one point or another, whether it's on signup before they hash and store it, or when you login before comparing hashes.

If someone has access to your codebase you've got bigger problems than plaintext passwords anyway.

[rocqua]

The codebase will always have access to your plaintext password at one point or another.

Not necessarily. The simple solution is client-side hashing. You could combine that with challenge-response to only reveal the password hash to the server once.

[icebraining]

The client-side code that does the hashing is part of the codebase.

[heavenlyblue]

>> If someone has access to your codebase you've got bigger problems than plaintext passwords anyway.

You're joking, right? The context of the discussion is when your database is already leaked. Then the chance is that your e-mail database is leaked, too. You may leak code, too. It doesn't necessarily mean someone can execute arbitrary code on your server though, yet.