• Perhaps some sort of regulation for security? Our application (browser-based and currently delivered via SSL) is completely HIPAA compliant with passwords hashed in a separate table in the security database (which is kept separate from the main application database). But it was required so perhaps if it was required for everyone and all applications (or at minimum certain classes of applications) then we would see better compliance with such a standard. :ermm: