Is it really necessary to encrypt passwords using md5()
or sha1()
WITH SALT (or even at all) if the connection takes place over HTTPS?
Thanks in advance
Is it really necessary to encrypt passwords using md5()
or sha1()
WITH SALT (or even at all) if the connection takes place over HTTPS?
Thanks in advance
If somebody hacks into your server, or gets ahold of a backup, and the passwords aren't aren't hashed with a salt, then they will have access to all your users passwords. It's very much necessary to salt and hash your passwords. Probably more important than using HTTPS to authenticate.
They actually should both be used, as they solve completely different problems. HTTPS is used to protect the password as it travels over the internet to your servers. Hashing and salting is used to protect the password when it is stored on your servers.