Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

Encrypting Passwords Is A Waste Of Time

Encrypting passwords is no longer a vital operation, and these days seems mostly useless. Why? I'll tell you.

With rainbow tables so easy to access the chance that your password (or those of your clients) can be cracked (matched, actually) is pretty good, and getting better every day. But there's more to it than that.

If an attacker has owns your site that already have access to your database- they don't need to crack passwords. They can simply replace any password hashes with their own, login, and then do as they please. If they want to be neat about it they can then replace the hash with the original after they're done, and no one would be the wiser.

If the have access to your code they can easily determine any salts you use to make the password hashes, so using a password salt isn't going to help either.

All in all, encrypting passwords seems more and more like a waste of time. It's a feel-good measure that doesn't really provide any added security.



This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.