[kwantam]

- Enumerate the attack vectors that this practice opens, and give examples of companies that have been burned by similar attacks in the past.

- Ask management if they would be willing to inform all their users about their practice of storing their passwords in plaintext.

- There are several court cases in recent history where users have sued service providers for negligence after a data breach occurred. Failing to take even the most basic security measures is a liability and opens the door to successful litigation in the case that you are hacked. Is management aware of this?

- Financial service providers like Visa have security standards that their clients must follow. Even if these do not directly compel your company to action, they serve as an example of "industry best practices".

- I assume you've already confronted the "senior developer" about these issues; is this a complete dead end?

- Pull out the whistle. Talk to journalists in industry magazines about your company's behavior.

- Comedy answer: tell LulzSec and let them drive the point home for you.