[thelist] hashing stored passwords (revisited)

[Aredridel]

> So aside from him being able to use a user's password on another site
> or for a different resource where the same username/password combo
> existed, does it enhance the security of a website at all? Said
> another way, assuming all your users use unique passwords for every
> site they visit (thus not allowing the same username/combo to ever be
> used twice) AND you use SSL for logins, does hashing actually do
> anything?

Well, that's a big one since most users use the same password
everywhere.

Also, if you repair the breach, you don't have to tell all your users to
change passwords -- you just restore a backup, close the hole, and
you're relatively safe, still -- you won't have joe intruder still
having access via the thousand-odd passwords he stole.
> 
> 
> Thanks,
> Chris.