Yeah, you actually better not save the users passwords in plain text or in an encrypted way it could be decrypted.
You rather save a (salted) hashed string of the password. When a user logs in you compare the hashed value of the password the user typed in against the hashed value in your database.
What is hashed? Think of it like a crossfoot of a number:
Let's say you have a number 69: It's crossfoot is (6+9) 15. But if someone steals this crossfoot they can't know the original number it's coming from. It could be 78 or 87.
Based on what? User agent? This wouldn't be a reliable base to know who to charge.
It's all about the given API token. If it's your own personal one (which it probably would be aber revancing the app), it is restricted anyways to x calls per month (day? IDK). If you reach that limit you simply won't be able to fetch more data.
Buuuuuut: You would still be using reddit, which we all hopefully agreed not to do anymore, right?
I think the reason behind that is that it's a new place and people are shy in new environments. Not only they behave more cautious but they lurk more (which leads to more lurking by others).
Yeah, you actually better not save the users passwords in plain text or in an encrypted way it could be decrypted. You rather save a (salted) hashed string of the password. When a user logs in you compare the hashed value of the password the user typed in against the hashed value in your database.
What is hashed? Think of it like a crossfoot of a number:
Let's say you have a number 69: It's crossfoot is (6+9) 15. But if someone steals this crossfoot they can't know the original number it's coming from. It could be 78 or 87.