Storing passwords as plain text

[Anonymous]

Well, if you're using authentication it should be over SSL.
But, in the case that you can't use SSL, then passing user information over cleartext is all you can do.

This can be accessible from anyone on a wireless connection, anyone on the ISP from and to the source and destination.


However, putting passwords in the DB will prevent that cracker from getting that users passwords and using them on other sites where they might be using the same password.

It's about ethics more than just security.

-B

 

[Anonymous]

$password = md5($_REQUEST['password']); is the simplest form of encryption, but you can use seeds and other things to make it even more complicated.

I typically will use a random seed for the website, and append it to or prepend it to the password just to confuse any outsiders.

md5 password encryption along with another md5 seed attached together = good enough for government work.

-B