From @Mithgol on Tue Sep 15 2015 12:51:18 GMT+0000 (UTC)
(inspired by Greg Slepak)
Yes: if a known hash is a multihash and if a text file containing the password (and only the password) was ever published, then a mere IPFS lookup will return the password in plain text form. Even if the login’s owner have not ever published the password, such file may eventually be published by someone else.
Update: no, the hash is actually more complex; see below.
Copied from original issue: https://github.com/ipfs/faq/issues/37