We recently came across an issue when creating a site with SSL plugged in that in Internet Explorer we were getting the good ol' "This page contains both secure and nonsecure items." popup. It took us a good long while before we finally realised what it was... Fancybox!
As reported on the register - grey hat hackers discovered an SQL injection vulnerability in the Daily Telegraph property website. Not only did their website allow malacious users to access information stored in their website but the site was storing users passwords in plain text. I am finding it hard to believe that there are developers out there who aren't aware of the best practice for storing passwords. Even if your site and database are secure you are taking a huge risk with someone else's private data, so many users share password across sites that if your site needs a password you have a responsibility to ensure that your user authentication does not rely on the storage of a password in plain text.
Use of SHA1 plus salt is current best practise for storing passwords and something we use in all of our development work.
