[thelist] hashing stored passwords (revisited)

Chris W. Parker cparker at swatgear.com
Wed Jun 25 14:09:09 CDT 2003


Hi.

Ok for some reason I'm drawing a blank on why it is such a good idea to hash (md5/sha-1) your user's passwords before they go in a database. At one point I had it explained to me and I thought that it was a good idea, but now that I'm thinking about it again (and getting ready to implement it) I can't remember why.

Here is my problem:

If you are using SSL to login your users the data that's being passed back and forth is already encrypted. So assuming someone was able to middleman the data they wouldn't know what was going on because of the encryption right? So getting that data wouldn't help them retrieve a password. This is good.

Since any data the middleman gets is going to be useless how does storing a password in a tricky manner make anything more secure? If the badguy steals the entire database the fact that he can't read the passwords becaus his brain can't reverse the hash doesn't prevent him from opening any table he pleases and viewing the contents.

So aside from him being able to use a user's password on another site or for a different resource where the same username/password combo existed, does it enhance the security of a website at all? Said another way, assuming all your users use unique passwords for every site they visit (thus not allowing the same username/combo to ever be used twice) AND you use SSL for logins, does hashing actually do anything?


Thanks,
Chris.


More information about the thelist mailing list