Saving passwords

2007-05-20

    I am by no means a security guru, but can all you developers please end your stupid habit of saving passwords in clear text to the database.

    It makes my cry when I click ‘forgot password’ on a web site and get a mail with my old password in it.

    Make a hash out of the users password combined with a random value, called salt. Store the salt and the hash in the database. When the user later tries to log in you can hash the supplied password together with the salt and compare it to your stored hash.