like storing passwords in plaintext. That's just fucking stupid
not as stupid as you think. Sure, encrypting your passwords is another layer of security but really, if an attacker gets your password database, then they can (and will) crack them quite easily today. Given that all you're doing is slowing the attacker down, it can be better to store them in plaintext.
Because - if you know your passwords are precious and need to be looked after, you will take many more steps to ensure the attacker doesn't get them in the first place. Too many websites think that if the passwords are encrypted then they're all secure. They don't think the (small) effort to properly put the DB behind a middle tier layer and not allow any web application to directly access the tables is worth doing, and so they get hacked and the passwords get cracked.
I blame the web development frameworks, if your idea if security is running it all inside the webserver that's public internet-connected, then you're going to get hacked.