O'Reilly logo
  • Rajnesh tripathi thinks this is interesting:

You know it’s insecure to store plain-text passwords in the database. That would make it easy for someone to find the passwords for all users. One improvement you can make over plain text is to use encryption. Encryption is still a bad way to store passwords, though, since having the key would allow you to simply decrypt the passwords. Therefore, encryption is a totally insecure way to store passwords.

The secure way to deal with passwords is by using a hashing algorithm. A hash is a one-way algorithm. You store the hash result in the database, and then when checking a password, you hash it and compare the result with the hash stored in the database...