You have a good point, Wictor. However, I think all depends on just *how* secure the data should be.

In my case, I'm working with an application that does need to be secure, but it's not like it's storing financial records or national secrets. It's an application that allows customers to respond to RFP's from my client. The fact is that the end-user base is not exactly computer-savvy, so my client gets LOTS of phone calls regarding "why can't I log in?" In my specific case, the risk of some rogue hacker wanting to hack usernames and passwords seems far less than the time and money that would be saved by my customers in the reduced number of tech support calls.

Bottom line, you're correct that it does open up a security risk. However, in any application, there's usually a monetary cost associated with increased security. In this case, the reduced cost outweighs the possible risk, for my client.