Just a small note about what you noted here:
Keith Moore wrote:
Most of the time its for good reasons - product liability,
PCI requirements, etc. But even then, that hasn't prevented
people in breaking security needs by adding wrappers into their
new user accounts/change passwords to save the plain text somewhere
before a server secured the password storage.
There is no longer any good reason for using plaintext passwords,
True, but most packages do offer option like
[X] Plain text ONLY over SSL/TLS
I believe the AUTH related RFCs also state this security consideration.
For PCI though, it may not be enough (depending on a few factors) and
you would need SSL + HTTP Digest with the technically optional NONCE
... not for customers who have their own domains and can
select their own user agents.
In my business and product experience, the opposite is true like in an
Intranet; host with its own access clients and/or with proprietary
security and access controls. Its one reason why we continue to exist
as a business. A good example is HIPAA Compliancy requirements for
SSL or SHA2 secured encrypted communications over the internet - the
exception? Direct Dialup! So if a small business, mom and pop shop or
even mid to large, etc, wanted to get a fast certification entry into
the medical insurance provider business - you can come to us! :)
Remember, its not just the host, but their client users device
capabilities too (doctors, banks, etc).
The times we get request or queries regarding exposing secured
passwords is when they are doing some form of integration which leads
the growing industry wide consideration of a "Single Identity"
See NSTIC - National Strategy for Trusted Identities in Cyberspace
Of course, the key industry vendors pushing and this include the
marketing vendors - you would buy that "Single Trusted Identity" from