I am working on an application that is targetted at non technical users. I expect a large number of support calls regarding lost passwords and inability to login.
I am using ASP.NET membership provider that provides 3 options for storing passwords - Clear text, Hashed, Encrypted.
Is it a good idea to store passwords in clear text given the nature of this application? Are there any legal issues involved in storing passwords in clear text?
No, never a good idea, no mather how silly your application is.
Never.
There is never a good reason to store passwords in your database, ever. Especially not in clear text. You should be storing the hash of the password only.
The worst thing you can do to a user is broadcast their "recovered" password across the Internet in a clear-text e-mail. It is so easy to simply store a one-way hash of the password which cannot be recovered.
For lost passwords, you simply reset their password and give them a temporary password which they have to change when they log in. Safe and secure.
People often use the same passwords for multiple applications (especially non-technical users). So your application will likely contain the passwords for people's bank accounts, email, etc.
You have a responsibility to secure users' passwords, no matter how trivial your application is.
Here's a few reasons to use unencrypted passwords:
If you feel like any of those items match your business model, then go ahead and leave your passwords unencrypted.
It's a good idea if you have usability in mind and less effort from an user perspective.
However, you have to understand that, as a developer, you need to guarantee your users safety online. What the user wants is not always the best for them.
People use the same password in a lot of accounts. If your db is compromised in some way, you're giving away passwords that can be being used in bank accounts for example.
If you think that resetting password it not for non-techie people, at least create a form to change the password like Gmail does.
I don't know in US, but at least in my country, if a compromised system stored my passwords in it, I would try to sue them, because we have ways to prevent storing clear text passwords.
When you want your site hacked and you have to guarantee that your user data is stolen or corrupted.
That's when you store passwords in clear text.
I suppose there is one situation where storing passwords in clear-text is appropriate.
If you were writing an application to use as the "before" example in a demonstration on how to write secure code so that you could show how to implement password encryption/hashing techniques.
It is never a good idea to store password in database. Store a hash of password (possibly salted). In case of lost passwords, generate a new one and send it to their verified email address - make sure they change this autogenerated password on the next login.
Your target-audience may be non technical, but that won't be the case with their friends who are casual/professional pranksters. Non technical users must be treated with extra care because they are more likely to keep same username/password combination for your small application, the Google account and the online banking account (if the bank accepts that password). They will lose their data/mail accounts/money and you will lose trust and customers.
Here is a blog post on storing passwords in databases worth reading by @codinghorror
You should only store passwords in clear text when you want it to be really easy for anyone to obtain them. For your usecase I would suggest an option where the user enters their e-mailadress and gets an e-mail containing a link with which they can log in. When logged in they should have the option to change password if they want to, but if most users aren't frequent visitors, they might not even want to change their password as they'll forget it before next visit.
Never. The "nature of the application" doesn't matter. You should ask yourself what you think the benefits of storing it in clear text are. Do you expect tech support to pick up the phone and tell them their password? Or email it to them when they forget it? Those are never good ideas.
There's an established design pattern for passwords:
That's the general overview and it's the expected approach. Other variations exist, such as providing security questions.
For any reliable information on legal reasons, consult a lawyer. In the US, you should be able to get a referral from your local bar association. I am not a lawyer and this is not legal advice.
That said, if you ever have a data breach you might be liable for anything that happens on your site, including the possibility of being responsible for anything financial or libellious. If the user uses a password on multiple sites, you might possibly be liable for other activity on other sites. In the US, you can get sued for pretty much anything, and it's not clear to me that you'd win such a suit.
So, the legal liabilities are potentially large. Consult a lawyer before saving cleartext passwords.
Security and Usability are at opposite ends of the same stick. When you make you application easy to use, like giving the user their password back you make it insecure. When you make your application ask 5 questions, a blood sample, and a password even Einstein would forget, you have usability problems.