|
|
|
|
|
|
by irahul
4954 days ago
|
|
|
> I see a popular website not hashing passwords. Some sites do it deliberately. If your customer base is mainly non-technical, directly emailing them the password increases the chance they will log in back than sending them a password reset link. I think I read it in context of PlentyOfFish. > Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? If an employee or a cracker has access to the user database, doesn't he already have the user data? The main reason passwords should be hashed is if a rogue employee or a cracker has access to user data(what user data you have is already compromised here), he might be able to gain access to the user's mail, bank or other accounts as most people tend to reuse password. |
|
|
You sound like you may not be aware of how attacks happen in real life.
Most of the e-mail addresses that people sign up with are either yahoo or gmail. Most people are lazy and choose for this third-party site the same password from their yahoo or gmail accounts.
If the passwords are in plain text ... well ... then people's yahoo and gmail accounts are at risk.
Recently, yahoo notified me that someone has been trying to brute force my yahoo mail password. Luckily I use a different password on third party sites, but the thought of someone taking over my e-mail account was rather scary.