[tptacek]

It's a really big problem.

If you lose your whole database to an attacker, you have a big problem.

If you lose your whole database to an attacker, and you stored recoverable passwords in it, everyone has a big problem.

There'd be something to debate here if fixing this problem wasn't 5-10 lines of code. But that's what it is. 5-10 lines of code to keep yourself from compromising tens of thousands of (email, password) pairs. There is no debate to have here.

[laut]

I agree that storing passwords in plaintext is an anti pattern. But with a one-way-password-encryption setup you need a password resetting system, which is more than 5-10 lines of code.

[tptacek]

You need many of those same lines of code to do password recovery if you store plaintext.