I work at ProjectLocker, and I'd like to add some clarity to this thread. First, to answer the OP's questions:
a) This rumor is not true. ProjectLocker doesn't store passwords in plaintext.
b) You can't verify this for ProjectLocker or any other website without access to their backend systems.
c) I'd be fairly worried. However, I would be pretty surprised to find that any of the major Subversion hosting or Git hosting sites store plaintext passwords. It's just a bad idea.
Incidentally, all Git access at ProjectLocker uses public-key authentication and no passwords.
As others have pointed out, ProjectLocker does allow users to retrieve lost passwords. We do this by storing passwords encrypted with a two-way function. (If you ever check the "save this card for later" box on an ecommerce website, your credit card is stored that way. Same thing goes for subscription sites that bill periodically, such as Netflix.) In general, we treat passwords as sensitive data, like credit cards or customer artifacts (code, etc.). There's a fair philosophical debate about whether sites should store passwords in retrievable format, but feedback from our users indicated that they prefer retrievable passwords.
As to the post on Reddit, I can say that the poster has never worked at ProjectLocker and has no actual knowledge of our authentication systems. The poster most likely is not familiar with two-way functions, and is mistakenly confusing "reversible" with "plaintext."
Finally, if you are considering hosting your code with a third party, and you do not trust their answers to a question like this, you should definitely not store your code there. If you don't trust your host, you shouldn't use them at all, regardless of how they store your password.
Anybody with the database access to see your password, whether it's hashed and salted or not, probably has the access to read your private code anyway. – Phoshi – 2009-09-25T14:50:18.340
Phoshi: That's what I was thinking too. Someone working at any Git hosting company is probably able to peek into its users code if they want to. – S. Michaels – 2009-09-25T14:58:44.160
Pretty much. The only bad thing about plaintext passwords is if somebody more malicious gets their hands on the database - that could be bad. – Phoshi – 2009-09-25T15:01:12.017
It would be awesome if someone could edit the title to not make false accusations about ProjectLocker. Thanks! – runako – 2009-09-25T19:02:45.413
Titled edited as requested. And thanks for responding to this question. I appreciate hearing from someone who works at ProjectLocker. Also I posted a follow-up question earlier that is not specific to ProjectLocker to try to understand the technicalities of this issue better: http://superuser.com/questions/46877/if-a-forgot-your-password-page-emails-your-old-password-is-that-definitive-pr
– S. Michaels – 2009-09-25T19:28:41.197