For the enterprise responsible for protecting customers' PII, should passwords be stored at all — even encrypted?