[thelist] hashing stored passwords (revisited)
AxssDnied
axssdnied at borg.darktech.org
Wed Jun 25 14:34:15 CDT 2003
I can think of a few reasons to hash passwords...
to me, first of all it's a privacy issue. In my experience a lot of users
actualy use the same password on many similar sites for the same
userid/email address. I'm sure that if somewhere in your site it is marked
that the passwords are stored in a secure fashion, then a few users might
feel a bit relieved.
Second, it does add in my opinion a certain ammount of security..
a) (assuming controlled signups) if a hacker were to exploit a problem in
a server side script and manages to inject an sql query to create
him/herself a userid for your site, then the hacker would have to know
your hashing algo as they create the sql querry... else the password they
would use would not be found ('; insert into users values ('hackerid',
'hackpass'); Then hash('hackpass') != 'hackpass';
b) It offers a certain ammount of security as to if ever the hacker
manages to view some of the info from your tables. I'm thinking here about
pages/extra functionality that is controlled depending on the user account
and that being database driven... the hacker might not be able to find
sensitive information in the database, but might be able to find a userid
that could grant him access to such.. if the passwords are stored clear
text.
Just my opinions of course... I do feel that there might be circumstances
that might make this kind of thing useless...
Hope this helps,
Andrew
More information about the thelist
mailing list