No, it is not true that systems always store real passwords in plaintext; well‑designed systems almost never should, but some still do due to bad or outdated practices.

What secure systems should do

Most modern, security‑aware systems follow these principles when handling passwords.

  • Store only a cryptographic hash of the password, not the real password itself.
  • Add a random salt (unique per user) before hashing so the same password produces different hashes for different accounts.
  • Use slow, password‑specific algorithms like bcrypt, scrypt, PBKDF2, or Argon2 instead of generic fast hashes.

When you log in, the system hashes what you typed (with the same salt) and compares that hash with the stored hash; matching hashes mean the password is correct, without ever needing to store or “read back” the original password.

Why plaintext storage is dangerous

Storing passwords in plaintext is considered a severe security flaw.

  • If an attacker gets database access, they instantly see every user’s real password and can reuse it on other sites (since people often reuse passwords).
  • Internal staff with database access can also see user passwords, which creates abuse and privacy risks.
  • Breaches at large companies (including big tech firms) have made news precisely because some passwords were stored or logged in plaintext, showing this is still a real‑world problem.

Security professionals treat plaintext password storage as a red flag that the system’s overall security is poor.

Do any systems still use plaintext?

Unfortunately, yes—some legacy or poorly built systems still store real passwords in plaintext or in effectively reversible forms.

  • Investigations and disclosures have shown that several companies have, at times, logged or stored user passwords in readable form because of legacy admin tools or misconfigurations.
  • Discussions in developer and security communities frequently call this out when signs appear, such as strict maximum password lengths or odd password rules that suggest a fixed‑width database field storing the raw password.

So the accurate statement is:

Systems should never store real passwords in plaintext, but some still do due to poor design, legacy code, or negligence—which is widely regarded as a serious security failure.

Mini FAQ

Q: If a site can tell me my old password, does that mean plaintext?
Usually yes. If a site can email you your original password instead of making you reset it, that strongly suggests it is stored in plaintext or reversibly encrypted.

Q: If a site grades my password strength as I type, is it storing it?
Not necessarily. Strength meters typically evaluate the password in memory on the client or server just long enough to score it, then discard it; secure implementations still only store salted hashes.

Information gathered from public forums or data available on the internet and portrayed here.