How do sites like Meebo store usernames and passwords?

Question

I recently used Meebo and I must admit I'm a little paranoid about typing my IM login information into a site like this. How do they store my username and password for each of the separate IM services? I only feel comfortable when a site takes my password and does some type of irreversible, one-way function on it, but it seems that Meebo would have to store my passwords in a way that they could retrieve them at anytime in order to facilitate the automatic logon into the separate IM services they support. Am I justified in being paranoid about this?

---

EDIT: I found this excerpt from Meebo's privacy policy:

Third Party IM Service User Names and Passwords. Meebo allows you to access third party IM services by logging into your account through Meebo (the "Third Party IM Services"). In order to access your Third Party IM Service account, you must enter your applicable user name(s) and password(s) on the Meebo Service. To use the basic IM services on the Websites, Meebo does not store the password(s) of your Third Party IM Service accounts on our server. If you wish to utilize advanced features of the Services, such as automatic sign-in, storage of your password(s) may be necessary.

Jeff Atwood posted on this topic a while back in this article: Please Give Us Your Email Password.

Answer 1

Yes, you are.

Answer 2

1. Meebo to Piskvor: Give me your IM password, I'll login for you.
2. Piskvor to Meebo: It's "12345".
3. Meebo to IM: Hello, I'm "Piskvor"; to prove it, my password is "12345"
4. IM to Meebo: Hello, you are indeed "Piskvor"; there's also a message for you from user "average".
5. Meebo to Piskvor: There's a message for you from user "average".
6. (etc)

Take note of lines 2 and 3. In order to do #3, Meebo needs your password; (unless there's some cooperation between the IM provider and Meebo (which is possible but unlikely)) it has, at some point between those lines, your plaintext password.

Congratulations, you no longer have complete control over your IM account; as far as the IM service cares, Meebo is you.

In other words: do you trust Meebo not to abuse your password? Do you trust Meebo to protect your password? Do you trust that Meebo won't be hacked and your password stolen? As far as I see, there's no way to tell (unless you're Meebo, which you're not).

It boils down to this: do you trust Meebo's promises?

Here's my $0.02: Convenient? Check. Horribly insecure? Check.

---

Oh, and to answer the question in the title: best practice would be "encrypt the password, don't keep the plaintext anywhere (any longer than absolutely necessary)". However, I've seen too many databases with plaintext password fields; some businesses apparently see encryption as waste of effort until Something Really Bad Happens. Does Meebo? I don't have a way to tell.