[ergo98]

The real problem -- and the reason for most of the outrage -- is password reuse. Can we all agree yet that password reuse is the actual problem, and not the storing of passwords?

We should reframe the discussion around that, because it is the real issue.

But let's pretend that PoF stores a 128-iteration blowfish ciphered password for every user. The site is compromised, as it was, and the attacker now has the run of the place. They inject their capture into the login process and now they siphon off every plaintext password.

On the scale of things, whether the password is stored hashed or not is very, very low. It masks the real problem.

[flogic]

Passwords are the problem. They're invariably hard to remember or easy to guess. Or to abstract it out, you're always choosing between resistance to getting lost and resistance to attack.

[brlewis]

Stealing passwords of people who log in during a limited time window is less than stealing passwords of everyone who ever registered.

That said, I agree password reuse is the underlying problem.

[ergo98]

Such an exploit could be in place on countless sites you visit daily, with no one the wiser. Further, aside from technical competence, why does anyone trust PoF? Why do they trust any site to not only technically handle their password correctly, but to not subvert it for their own purposes?

I see that my post above got moderated down. People want to lazily, and sloppily, reuse passwords everywhere. It's ignorant. The world would be better if we got rid of this ruse that sites hashing passwords themselves offers any reasonable protection. It leaves the barn door open.