You should never store passwords in plain-text, encrypted or not, you should always use a one-way cryptographic hash like bcrypt [0], scrypt [1], or PBKDF2 [2], combined with a single use salt [3] and optionally a pepper [4], and then store the output of the hash in the database.

To confirm a user supplied password matches you run input into the same hash function again with the salt+pepper and compare it to the value in the database.

That way if the database is stolen, the attacker cannot recover the contents of the passwords without brute forcing them. Encrypting passwords is not recommended because too often attackers are able to recover the encryption keys during the same attack where the password data is extracted.

[0] https://en.wikipedia.org/wiki/Bcrypt

[1] https://en.wikipedia.org/wiki/Scrypt

[2] https://en.wikipedia.org/wiki/PBKDF2

[3] https://en.wikipedia.org/wiki/Salt_(cryptography)

[4] https://en.wikipedia.org/wiki/Pepper_(cryptography)

You speak very authoritatively on something you don’t know.

Hashing passwords has been a thing for at least 50 years now. V3 unix had /etc/passwd which hashed all user passwords. Notably, these hashed passwords in early unix have been cracked: https://arstechnica.com/information-technology/2019/10/forum...

I guess you got your answer.

Hashed, you store them hashed (and salted). A breach should never reveal passwords.

I hope youre joking

Typically you store a hash of user passwords instead, then when logging in you hash the user password client-side and compare the hashes. This acts like a one-way function that protects the password while letting the user authenticate themselves.

I don't think those words mean what you think they mean.

Assuming you're serious? Store passwords with salted one-way hashes.