If most websites can’t get password storage right, you can also bet they can’t get storage of the actual content you are trusting them with right, either. The private documents that you stored with your favorite cloud service are probably not encrypted in a way that only your account can decrypt, if they’re encrypted at all. The mobile app or website you use to access those documents may send your password and your files “in the clear,” enabling that shady-looking person on the other side of the café to snoop on you. They may advertise that they use encrypted connections but then disable verification in the mobile app so as to “not complicate the interface.” Someone could hijack your connection and the app would never notify you of the error. I have seen all of these problems in real-world cloud apps used by thousands of people.