On Thu, 6 Nov 2003 09:09:57 -0500, you wrote: >True, true. I actually use MD5() for the same reason, but, really, if >someone has access to the database to read the hashes, odds are they have >access to the rest of the database and your code. So what are you protecting >really?
Many people use the same password over multiple sites. A database/OS bug could expose the user table without exposing the rest of the machine. If you have the plaintext password you can impersonate the user and modify data. I would be /very/ uncomfortable if I found that a site I use for anything meaningful stored passwords as plaintext. If nothing else, it's a litmus test of how seriously they take security. (agree about using md5() (sha1() is even better) not password(), though - nobody should be using password(), as the manual points out: http://www.mysql.com/doc/en/Miscellaneous_functions.html) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
