Why do companies/websites keep doing this? Does it really take that much more coding to store the passwords encrypted?
In short: They don't care.
A company cares about releasing new features and spicing things up so that they can beat their competitors. The last thing they think of is security. And well. We'll never get hacked, right? Why would any criminals go out of their way to target us? Every site / software has this mindset to some extent, including FP, XenForo, etc.
It's actually not particularly surprising. Companies tend to care more about security after they're compromised. But, also the less experienced a programmer is, the more they'll be all about the features and less about security. And well, programmers who know nothing are cheap and plentiful, right?
This is how you get the plaintext, etc.
It's basically what people call "acceptable risk". But in all honesty, I think the chances of you getting targeted sooner or later is probably 10 to 20%. Higher, if you have more than ten users.
In other words, you will almost certainly have someone coming after you, but people think of internet security as well locks, locks work right? Even though they can be picked easily.
The reason that locks are effective is largely because you don't have criminals from all over the world bearing down on you. It's mostly a deterrent. Like the nuclear weapons we all love stockpiling, but we generally know we will never use.
There is no such a thing as a deterrent on the internet. People do things anonymously all the time, there is no risk of being caught "picking a lock" or any other order of embarrassment.
The solution to the problem is probably regulation, but you should never trust the government to do anything vaguely helpful, they will make problems twenty times worse.
P.S. Many attacks, particularly things like SQL Injections or even commonly used software, can be easily automated. I am constantly being bombarded by such attacks, for software I don't even use 24/7 with practically no traffic.
If someone finds a zero day vulnerability, they will quickly weaponise it before the vendor can patch it and before the updates have enough time to flow out (even if a security issue is fixed, admins have to apply the patch).
And if not for the fact that over half the internet runs PHP and all manner of insecure garbage, I might even be a little smug about PHP being an insecure mess (which it is). This is just the tip of the iceberg.
This industry really needs to clean up this mess before the government comes in and regulates the hell out of everyone. Maybe, developers need a hippocratic oath. Like. "I will not write something insecure or which otherwise contributes to these social ills."
When you write insecure code, you don't just let yourself down, but you let the company down, you let your family down and ultimately, you let society down as now it has been hampered because of your ignorance.
