Reputation: 13517
Password encryption in MySQL and PHP over HTTPS
Is it really necessary to encrypt passwords using md5() or sha1() WITH SALT (or even at all) if the connection takes place over HTTPS?
Thanks in advance
Upvotes: 0
Views: 834
Answers (3)
Reputation: 360702
Consider HTTPS to be the equivalent of an armored car transferring data back and forth between the server and the client browser. You can make that armored car as tough and secure as you want, but if the server and/or the client are a tent in the middle of an army of thieves, you've achived ZERO in the way of security - the thieves will ignore the armored car and just cut through the tent wall and walk away with your precious valuables.
Upvotes: 1
Reputation: 66132
If somebody hacks into your server, or gets ahold of a backup, and the passwords aren't aren't hashed with a salt, then they will have access to all your users passwords. It's very much necessary to salt and hash your passwords. Probably more important than using HTTPS to authenticate.
They actually should both be used, as they solve completely different problems. HTTPS is used to protect the password as it travels over the internet to your servers. Hashing and salting is used to protect the password when it is stored on your servers.
Upvotes: 3
Reputation: 343
Encryption of passwords is a very good idea even if you're transmitting over a HTTPS connection. The reason is that it is possible an attacker can gain access to the database, and thus view its contents without intercepting the connection.
Upvotes: 0
Related Questions
- PHP Salt password encryption
- Encryption of hashed passwords?
- Encrypting data with PHP and MYSQL (SHA1, MD5, MCRYPT_RIHNDAEL_256)
- Password Encryption Method? : PASSWORD() versus md5?
- Issues with using SHA1 password encryption in PHP/mysql
- SQL password field does not work when I include encryption
- How do I encrypt this password with MD5 using PHP?
- good php mysql password hashing
- How to hash and encrypt password over the web?
- php encryption sql