For entities that store your passwords (e.g., Google) and then give you the ability to view them later as plain text… why? When was this deemed okay to do?
Even the ability to show the password while typing is beyond me, not because of over-the-shoulder-peeking, but because even if you had strong anti-keylogger tech, all it takes is a single-frame-screenshot of your viewport. I’d assume malware could very quickly toggle “show password”, take a regioned screenshot (or.. is the data writing to screen grabbable before draw?), and re-toggle it without you even noticing.
However, the entire set of all your passwords available on the back-end being readable? What!? If the service provides the ability to leak out every single password I’ve ever saved there, then an intruder gets way more than “access to those accounts” – they can certainly, say, change my password to other accounts in case of Gmail, but holy what-in-the-world, they don’t get to “see” my previous and other passwords.
They get to see every intended and/or unintended password-making pattern or strategy, and devise a whole specialized wordlist and ruleset for me as a target to potentially target any of my accounts – beyond even what is listed for them.
I’d rather opt-out, but of course, if you can opt back in and re-show what was stored without forcing a password change, that’s useless.
Why? Is this seriously considered okay to do in this day and age? What’s the logic behind it?