Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why would you ever want to store a plain-text or encrypted(not hashed) password in a database?

I've heard quite a few reasons for storing hashed passwords in a database. However, there are almost always options in authentications APIs to store passwords as plain text or encrypted.

Is there ever a reason you would want to store a password as plain text or encrypted in a database?

Note To be clear I know that storing non-hashed passwords are almost always bad.(as far as I know anyway) My question is why do most authentication APIs include options to store passwords as encrypted or plain text.

like image 704
Earlz Avatar asked Sep 16 '10 06:09

Earlz


People also ask

Why are passwords stored in plain text?

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.

Why is it better to store passwords as hashes rather than in plaintext?

Hashing a password is good because it is quick and it is easy to store. Instead of storing the user's password as plain text, which is open for anyone to read, it is stored as a hash which is impossible for a human to read.

Is it safe to store hashed password in database?

Storing plain text passwords in the database is a sin. It is also a terrible idea. Encryption functions provide one-one mapping between input and output and they are always reversible. If the hacker gets the key, he will be able to decrypt the passwords.

Why is hashing used to store passwords and not encryption?

Hashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted. Hashing is a one-way function (i.e., it is impossible to "decrypt" a hash and obtain the original plaintext value). Hashing is appropriate for password validation.


2 Answers

The only real reason I can think of is when the database belongs to a system that is itself targetting the real application. Like when you have programs that log into something for you (email clients, instant messaging clients etc.). All those have to store the password in a recoverable way to get access, because the target application won't decide between real user and user via a tool. Exactly at this point OAuth and alikes however are made to save the user's password.

like image 67
poke Avatar answered Sep 21 '22 22:09

poke


One reason I can think of is to allow a password recovery option. There's no way to recover a password that the system doesn't know.

Of course the alternative is for the system to just reset the password to something new and send you the new password.

like image 22
Andrew Cooper Avatar answered Sep 22 '22 22:09

Andrew Cooper