I’m using ASP.NET membership for a site that will serve primarily sophisticated users. I understand the difference between hashed and encrypted passwords, and I’m trying to decide between the two.
After my last client complained bitterly about hashed passwords being a total PITA, I’ve started to favor encrypted passwords. But someone suggested this just isn’t secure enough.
So my question is: What, exactly are the risks of encrypting passwords? Any person with the ability to steal passwords by decrypting them from the database would surely have the ability to reset them if they were hashed, no? I’m having trouble seeing where someone could cause trouble with encrypted passwords but couldn’t with hashed ones. Making it convenient for users is also important.
The risk with decryptable passwords is that people use the one password for various logins and accounts, not just for the application you are dealing with.
stolen/decrypted password could be
tried out on users’ other accounts (e.g. a stolen banking password could lead to access to their email).
recovery. Theft of password hashes
should never easily yield usable
passwords
Treat passwords as the property of the account owner. It’s not yours to view, decrypt, or do other things with. If a user forgets their password, offer reset, and not retrieval.