Any site admin can do this. The way phishing works is it tricks you to type your username and password into a website. Because it's a fake website, they have no interest in storing the data.
A mastodon instance could be a phishing site if it wanted to and see if you're dumb enough to use the same password on the email you used to sign up to the mastodon server with.
Salting and hashing passwords is good practice if you want to protect your users, but one downside of decentralized services is if anyone can run them, then there's a lot more chance for bad actors to run them.
Any site admin can do this. The way phishing works is it tricks you to type your username and password into a website. Because it's a fake website, they have no interest in storing the data.
A mastodon instance could be a phishing site if it wanted to and see if you're dumb enough to use the same password on the email you used to sign up to the mastodon server with.
Salting and hashing passwords is good practice if you want to protect your users, but one downside of decentralized services is if anyone can run them, then there's a lot more chance for bad actors to run them.