Why is it so important that users passwords to web sites remain in DB in encrypted form?

Because users are idiots and use the same password for everything. If a hacker gets access to the db they’ll know the users email and password and they probably use the same in for everything from fluther to paypal.

If someone steals your database, they won’t have all the users passwords, they’ll just have the MD5 hashes and will need to brute force them. It’s a first line of defence and keeps some of the “script kiddies” somewhat out. Atleast you need a minimal amount of technical proficiency and time to break the md5 hash.

Maybe you will notice the intrusion and have the time to warn your users to change their passwords before the attacker can break the hashes.

It also protects the users passwords from the admin – he doesn’t, and shouldn’t know all the users passwords.

It’s not important in every web application, but if you are developing a larger site it’s really mandatory if you want to appear serious.

Yes you can break an MD5 hash by brute forceing it, but it takes a long time
(depending on the password length).

The hash works like this: “banana” => “2/(s/SA5)=hd))=/”#”. If the attacker gets access to the database he will have the hash: “2/(s/SA5)=hd))=/”#”, but he won’t know what password has generated it, as the hashing function is “one way”. The only way to find out what password has generated “2/(s/SA5)=hd))=/”#” is to start trying different passwords and see what they hash to. The longer and more complicated the password is, the longer this process will take.

The best thing to do is to make sure your website saves the passwords in hashed form (it’s really not that much extra work, all web frameworks and languages come with these functions included), and to enforce a password policy that forces users to choose sufficiently advanced passwords.

I would avoid storing passwords and use OpenID.

You have probably seen sites which let you log in with your Facebook, Gmail, Yahoo or MIcrosoft Live ID. You site never sees the passwords, it just gets an OK from Gmail or whoever saying, “Yes, that browser is logged in to our system”.

Agree with @jaytkay 100%

@jaytkay Can you explain how the OpenID is working?
How you save in DB things this user is doing like writing blog or leaving comments? What will be his userid if he is not sign to the web site?

@nisse Thanks, I found all kind of hashing function in I can use for doing that, I thought I will have to write my own code, but I see it’s really easy now.

@Ranimi23 Most DB software includes a password() function that does a simple MD5 hash. So you can just do something like “SELECT user_id FROM users WHERE PASSWORD($userenteredpasswd) = password AND username = ’$username’;”

OF NOTE, you should consider adding “salt” to your hashes. Basically, if I enter my password “banana”, your code should add some other text to that (e.g., “bananaFIHL”) so that you cannot simply do a dictionary attack on your password database.

That is, the md5 of “banana” is ALWAYS 8e8f c8ae 0191 a981 8948 f78a 175e 2179
The md5 of “bananaFIHL” is ALWAYS 29c5 2dd4 99a6 978d e9a9 5a0f 06b3 dd58
but if I only got your database, and not your sourcecode, I don’t know what salt you were adding, so I can’t just run a dictionary attack without adding more characters.

More here: http://en.wikipedia.org/wiki/Salt_(cryptography)

@Ranimi23 Here are links to OpenID code libraries for particular programming languages
For specifics on OpenID, I would look at code for your preferred programming or scripting language.

Some links:

Getting Started with OpenID and PHP
http://devzone.zend.com/article/3581

http://wiki.openid.net/Libraries

http://www.dotnetopenauth.net/

@grumpyfish Thank you for your profound explanation about MD5.
Does the Salt is a function I need to write by myself to add bit/charcters to the password or it also a function that is already being included?

I am working with C# .

@Ranimi23 Salt is generally just something you catenate onto the beginning of the string, not usually something built in.

@grumpyfish 10x a lot for your help.

BTW – I can do the MD5 Hash in C# (user name + password + salt). Is it better to do that in SQL Server 2008 and not in C# code?

@Ranimi23 probably doesn’t matter which you do it in. SQL has it built in as a function, so you can just write it into the query. Doing it in C# probably involves including a crypto library (I’m not familiar with C#, I’m either writing websites in PHP or embedded code in pure C)

Not sure if this is what you were thinking, but I wouldn’t hash the username into the md5, you want to check the password that’s recorded for a specific username, rather than looking to see if anyone’s authenticated with that group of information.

That is, it’s possible, although unlikely, that grumpyfish + supersecret password + salt is the same md5 as administrator + other secret password + salt, which could let grumpyfish login as administrator without knowing those credentials.