Is it really necessary to encrypt passwords using md5() or sha1() WITH SALT (or even at all) if the connection takes place over HTTPS?
Thanks in advance
Is it really necessary to encrypt passwords using md5() or sha1() WITH SALT (or
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it really necessary to encrypt passwords using md5() or sha1() WITH SALT (or even at all) if the connection takes place over HTTPS?
Thanks in advance
If somebody hacks into your server, or gets ahold of a backup, and the passwords aren’t aren’t hashed with a salt, then they will have access to all your users passwords. It’s very much necessary to salt and hash your passwords. Probably more important than using HTTPS to authenticate.
They actually should both be used, as they solve completely different problems. HTTPS is used to protect the password as it travels over the internet to your servers. Hashing and salting is used to protect the password when it is stored on your servers.