An internal web application stores user passwords in cleartext. What is the MOST appropriate action to mitigate this risk?

When passwords are stored securely, they should be transformed into something non-reversible that protects them even if the database is accessed by an attacker. Using a unique salt per password and hashing with a modern, slow algorithm (like bcrypt, scrypt, or Argon2) achieves this. The salt ensures that identical passwords become different hashes and prevents precomputed rainbow-table attacks, while the slow hashing makes brute-forcing impractical. Storing with symmetric encryption and a master key is not ideal because it’s reversible—if the key is compromised, all passwords can be recovered. Hashing without a salt allows attackers to use precomputed tables and see identical hashes for the same passwords. Keeping passwords in cleartext behind a firewall offers no real protection if the database is breached. Therefore, the best mitigation is to store salted hashes using a strong, adaptive hashing method.