[dpwm]

I was about to ask why anyone would bother sending plain text passwords and store them encrypted. I then remembered a high-school friend's first (and largely unsupervised) job where IIRC he devised a ridiculous password encryption (not hashing) scheme in PHP (on shared hosting).

Unrelated horror unfolded a couple of years later when for some peculiar reason he had to move the site to a godaddy VPS. An unencrypted customer database sitting at /db.sql, fully accessible to the world. Apache had been configured to show directory indexes and, to take the site offline, /index.php had been removed. I think at the time I even needed to explain the possible consequences. I just remember being told that the database was restoring and it wouldn't take too much longer!

I think any remaining part of me that implicitly trusted interesting websites with personal data died that day.