>> Passwords stored in databases aren't usually in clear text but rather
> I think Philip was referring to the password to access the database, not
> any passwords stored within the database...
No he's not. He's referring to things like: passwords for access to web-
based services. They're usually stored in the clear inside the DB, since
the web developers don't know what they're doing.
At the very least, the following should be done: (1) For each user listed
in the DB, store a large random integer in a field called "salt". (2) The
passward is concatenated with the salt, and then a hash is taken. For
example, MD5 or SHA. (3) The hash is stored in the "password" field.
To perform authentication, take the user-supplied password, concatenate it
with the locally stored hash, and compare with the value stored in the DB.
This is a major security concern, not only because of the risk of one site
being compromised, but because people reuse passwords. For the people who
are compromised in this way, NONE of their accounts should be considered
safe. So the site maintainer is guilty of a major breach of privacy against
his own users.
Early to bed and early to rise makes a man tired and grumpy.
-- Dan Bernstein