> > [...]
> > Isn't this just as bad? If you store the encrypted password, that
doesn't
> > help you in the slightest in this case, because if you can breach the
list
> > of encrypted passwords, you still know what you need to send as the
> > "password" from the front end to let you into the database.
> > [...]
>
> If you encrypt the input from the frontend as well and compare the
> encrypted strings it will not help you to look into the list of
> encrypted passwords ... or am I wrong?
What problem are you trying to defeat? If you are worried about "sniffing"
passwords from the traveling packets, then regardless of whether the
password field carries a plain text password or scrambled garbage, if you
know where the password field is, you can sniff it. If you are simply using
this for authentication, then it doesn't matter whether the password is
encrypted or not. You are still, effectively, transmitting a "password
string" that is used for authentication.
The security of passwords, encrypted or otherwise is purely reliant on the
security of your database server that stores the data.
Does that make sense?
Regards.
Gordan
