|Posted by:||Joey deVilla on Monday, October 2, 2006 at 01:36 PM EDT|
|Filed under:||Joey deVilla, Programming|
|Keywords:||hashes, databases, passwords, security|
One school of thought states that the best way to store users' password information is not to store the passwords themselves, but rather hashes of the passwords. When the user first signs up for an account, your application creates a hash of the password and stores that in the database. When the user logs in, your applocation creates a hash of the password entered by the user when logging in and compares it to the hahs of the password stored in the database.
This approach has the advantage of maintaning user privacy; you wouldn't be able to find out what your users' passwords are without a great deal of work. The downside is that you can't email a password reminder should the user forget his or her password (instead, you email them a link leading to a page that lets them define a new password.)