"I've even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key's MD5 hash."

You'd have to be pretty retarded to ever use the password as the key you store info by though, let alone storing it in a web accessible way. After all, google can only index that which appears openly on the web.

To combine those two fatal flaws with the storage of plain text passwords even though you have a matching hash should be enough to get you marked as a danger to all mankind.

If you must use a key as a filename, it should be either a unique username or ID (which, for the benefit of Steven Murdoch, are 100% resistant to accidental collisions). Password hashes definately taste better with salt. There is no excuse for ever storing plain text passwords, anywhere.

As for wordpress, phpBB, VB and other big name web software, I'm always of the opinion that if it's worth doing then it's worth doing yourself. They've all proven repeatedly that they know bugger all about security, and their code should never be trusted without some serious modifications.