21

A friend actually asked me this..
He is building an android app for selling his stuff and haven't used hashs for storing passwords..

Comments
  • 7
    Plaintextoffenders assemble!
  • 5
    one does not just encrypt user passwords
  • 3
    Encryption is good if nobody has access to the key. One way hashing is the way to go.
  • 1
    @cmarshall10450 yeah.. just recomended that
  • 3
    @Dave-Elec 'recommended'?!

    You should kidnap his family and torture them until he finally implements hashing!
  • 1
    @alexbrooklyn.. Haha.. let him live untill he uses plain text files as a database
  • 4
    At least he somehow thinks its a good idea. We have all been noobs at some point.
  • 0
    Please, use SSO. creating yet another account is so painful…
  • 1
    With no encryption crackers will try to decrypt what is unencrypted and will fail greatly.
  • 3
    @cmarshall10450 Encryption where nobody has a key is equivalent one way hashing.

    Encryption where the key is known is eventually equivalent to cleartext. Possibly much sooner in the event of data breaches)

    Passwords should only ever be hashed; there are zero reasons to decrypt them. The server should only know a user's password during account creation and login. And better yet: they should be hashed and salted on the client, too, so the user's effective password is also a hash. This prevents traffic sniffers from reading them, and MITMs from seeing them in cleartext.
  • 0
Add Comment