A bigger question I have is, what if an attacker gets access to your database? Don't they get access to ALL user data of your service in the open? Do we hash and salt the passwords only because of password re-use?