When the e-commerce application creates an account for a Google+ user, where should that user's passwords be stored?

The most effective and secure practice when managing user accounts, especially those related to services like Google+, is to avoid storing passwords at all on the e-commerce application’s system. This aligns with the idea of leveraging existing account management systems where the user's authentication and credentials are already maintained securely.

When an account is created for a Google+ user, it’s essential to understand that typically, the user’s credentials, including their passwords, are managed by Google’s account management system. So, for security and simplicity, the e-commerce application should not store the password itself but rather utilize a method of authentication that does not require holding the password, such as OAuth or OpenID.

By relying on Google's account management system, the password is stored as a salted hash there, which is a secure technique to protect user passwords from exposure. Therefore, the rationale for not storing user passwords locally or in any form on the e-commerce site is to minimize the risk of potential breaches and ensure that sensitive user information remains under the protection of the account service provider, which is equipped to manage it securely.

This choice aligns with principles of identity and access management by promoting minimal exposure of sensitive information and making sure that authentication mechanisms rely on trusted third-party services.