Protect your clients: Save hashed passwords in your database!

I’m always surprised when I open my Feed reader and over and over again I stumble upon another report saying that some website store users passwords in plain text and that those passwords got exposed.

Now, why do you need to store those passwords in plain text?

Just hash them in the database and when some user tries to login into your site, hash the password that he gave you and try to match it with the one that is stored in database.

Now if someone cracks your database security the users will not be harmed because they don’t get access to theirs passwords (at least in plain text)!

If you want to add an extra protection, append a “salt” string to the users password and hash the new string all together. (This is how it’s done in symfony sfGuardPlugin http://trac.symfony-project.org/browser/plugins/sfGuardPlugin/lib/model/sfGuardUser.php?rev=3980#L31)