Shall I hash users of my portal when password is generated by server and user cannot change it? Logically:
User can't use this passwords anywhere else as it is server-generated.
Even when somebody access database illegally, they can change password and see it, but it is useless for them as it is not used anywhere else.
Am I right? Or hashing still should be implemented...?
分享 Security is something done in layers and each layer is designed to raise the cost of doing something you don't want them to. Do security guards prevent robberies? No, but they raise the cost of committing one to where most people won't bother.
Hashes don't prevent people from hacking your users but an unencrypted password is an open invitation for anyone who gains access to that data to log into your users' accounts freely for as long as it takes you to discover the hack.
分享
