If for some reason the application manages user authentication itself, it should never permanently store passwords and tokens in plain text. This introduces a severe security risk. Even if an application or database has sufficient protection from the outside world, it's important to protect the credentials from internal leaks.

Passwords that need to be managed within the application must be stored only via appropriate hashing algorithms and approaches such as salting. Doing so prevents any malicious attack, from both the inside as well the outside of the coorporation. It's advisable to consult security information organizations such as Open Web Application Security Project (OWASP). They provide the modern advice for security approaches and algorithms.