When is it a good idea to store passwords in clear text?

Question

I am working on an application that is targetted at non technical users. I expect a large number of support calls regarding lost passwords and inability to login.

I am u

Answer 1

Never.

There is never a good reason to store passwords in your database, ever. Especially not in clear text. You should be storing the hash of the password only.

The worst thing you can do to a user is broadcast their "recovered" password across the Internet in a clear-text e-mail. It is so easy to simply store a one-way hash of the password which cannot be recovered.

For lost passwords, you simply reset their password and give them a temporary password which they have to change when they log in. Safe and secure.

People often use the same passwords for multiple applications (especially non-technical users). So your application will likely contain the passwords for people's bank accounts, email, etc.

You have a responsibility to secure users' passwords, no matter how trivial your application is.