Hey guys, sorry for the long response – I’ve been knee deep in a super-spiffy Mojo API that will do all sorts of amazing things – it’ll even make you coffee in the morning! We’re just entering an internal beta phase right now and are looking at a public release before April.
First, yes, it is stated a million times (if that few), all over the web. Last fall, one of our competitors made an excellent public example of why this is a bad idea, and the fallout in their user base was pretty impressive. That said, we do not (nor have we ever) store them in plaintext; the e-mail just used the value present from the signup form to send the e-mail; the password isn’t saved in plaintext on our side. To authenticate users, we just use a simple one-way hash with a unique salt. That said, we no longer send passwords out in e-mails – just a link to the password recovery link.
So security is something we take seriously from a business point of view, in addition to the fact that it’s just a bad practice.
We have also implemented a wide variety of methods to prevent the theft of accounts, from tracking user behavior to screening withdrawals to identifying and blocking bots, brute force password crackers and password-guessing algorithms, and hacked/broken external services.
On that topic, we’re also looking at a couple other options to further protect Mojo users: One Time Password using Google Authenticator, notifications of logins, requiring e-mail approval to login from a new geographic location, along with some more that we aren’t allowed to mention