Does the author of this article not know about 2-way encryption? It can be used to store encrypted passwords in a database and the original value can be retrieved.
Letting a random employee to see your password on demand is just as bad as storing it in plaintext. Now the employee knows you and knows your password - for most people that means free access to their mail account, which means free access to all their accounts.
Good idea in theory. Unfortunately every serious person doing programming / administration / ... will have at least 20 accounts on the internet (probably underestimated!: email, other email, HN, sourceforge, github, facebook, own pc, own pc admin, vps, stackoverflow, etc. etc.)
At some point it's not possible to remember them all anymore... You have a choice of storing them with master password (now I can get all of them in one file), using the same one, having a password scheme (like usualpwd_HN, usualpwd_gmail, ...) or ... ?
Edit: what I started doing is setting random password that I will not remember and just requesting a reset when I get logged out.
1password uses 128-bit AES, based on your master password. Intelligently, they didn't write their own encryption.
Of course, we wanted to avoid writing this code in the Agile Keychain and elected to use the OpenSSL function PKCS5_PBKDF2_HMAC_SHA1 to generate the keys. Key generation is simply too important a step to not rely directly on the experts. In order to thwart would-be attackers and strengthen the key, we elected to use 1000 iterations in the PBKDF2 algorithm.
I used a password manager, and I have a different password for every single service that I'm signed onto.
If you're using similar passwords for all the services you're signed onto, it's pure hypocrisy to turn around and criticise Rackspace for "poor security". The single point of failure is you.
You could use a password scheme for sites you don't really care much about and stronger separate passwords for important and often used sites.
I do this and it works out well and if you use the important sites enough you will and do remember your strong passwords but for the ones you don't you always can reset your password by email which isn't that inconvenient if you think about how often you are accessing the website that you cannot remember your password.
While the idea that Rackspace, a hardware and VM hosting provider, is really jeopardizing customers with passwords is pretty silly, it's still mostly a myth that you can use "2-way encryption" to securely store passwords in a database.
Anything the good guys can do to decrypt a password, assume the bad guys can too.
The change password code could also encrypt it in two places - a one-way hash all systems can read for authentication purposes and a second, through one-way link (think crippled RS-232), that stores it in a way only the second system, the one that has no network access, can retrieve using its secret (embedded in hardware) ludicrously large key and only after being enabled by a certain user action and proper multi-human authorization.
But it doesn't matter how ridiculously complex the password recovery system is, allowing meatware to gain access to passwords is a no-no.
