We have a similar set up at our work, but we still encrypt our users' passwords. That way not even the dba knows what passwords other people use, although the s/he can still change the password for any user on our site. A lot of people use the same password for everything they do, and it would be possible for the dba to get ahold of all of those passwords and usernames from the database if they were in clear text, which could be bad.
Of course, I'm the dba, and I wouldn't do that sort of thing, but I've encrypted the passwords anyway with a one-way md5 hash. At least the users can feel a bit more secure that their passwords are safe from prying eyes, even from the dba. Makes it a bit of a hasstle when somebody asks for their forgotten password -- I can't exactly decrypt the 128-bit hash any time soon, can I? I can set their passwords to something else, of course, but sometimes they just want their old password.... J Anas Mughal wrote: > We had a client who wanted us to encrypt their > passwords. Our argument was that maybe their database > is not well protected. Only the dba and the > application should have access to the database. > No-one else should be able to view their data anyways. > We didn't see any need to encrypt the passwords. > > Any thoughts... > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
