A cleartext password is a password stored in readable form, without hashing, salting, or other protective controls. If an attacker steals the file, database, or backup that contains it, the secret is immediately usable. That is far more dangerous than stealing a properly hashed password, which usually requires costly offline cracking before it can be used.
Cleartext storage matters because a single compromise can expose every account in that store at once. Attackers often reuse the stolen credentials on other services, launch credential stuffing, or target victims with believable phishing because they already know valid usernames and passwords. Defenders prevent this by never storing passwords in cleartext, using slow salted password hashes, restricting database access, encrypting backups, and forcing resets if plaintext storage is discovered. Modern defenses also include MFA and monitoring for suspicious login attempts.



