@death said:@asuffield said:@MarcB said:Just because they can make the cleartext available doesn't mean it's actually stored in cleartext. They could be storing it as an AES or DES blob in the database and crypting/decrypting it as necessary. I've done that for any number of systems that required some measure of privacy on the data, but also required that the data's original form be recoverable. Unless it's an asymmetric system with one key held offline, there is no cryptographic difference between this and storing passwords in cleartext. It accomplishes nothing more than buzzword compliance.Who cares about the storing if a sys-admin(you?) can reverse my password.  You can take my identity within that system and leave no tracks. Anybody with access to the encrypted data can. I am just as uneasy about that as a clear-text password.You have no clue what we are talking about.