Database password security

Sayian

How important is it really to secure your passwords in mysql?

I mean, the only situation i could think of, were a hacker could gain the passwords, would be if they gained access to SQL, and if that happened, well .. they could destroy the entire database, whats a hash gonna do to stop them?

I need a way to be able to send my members their lost passwords if they have fogotten them, and if i MD5 the passwords, i cant un - md5 them back into plain text to send. So, thats 1 drawback.

I mean, is this really needed?

Feedback please.

Sayian

By the way, i didnt mean to post this in the newbie section, a mod might move this to general for me, thanks.

Plasma

Dont send them their password, give them the option to reset it (validate who they are via their email address etc).

Just because someone could possibly gain access to your database, does not mean they would destroy it - they could look up your password for example and silently login as you and do actions as you, without you noticing.

DoctorWho

Depends. How are you stroring your passwords?

Are you using the native MySql user/password table?
If so, you can limit each user to SELECT ONLY, or any other type of access you want to grant them to your DB Tables.
This table does automatically hash the Passwords.

If you are using a seperate table for Passwords, and all it's doing is essentially allowing a user to say, create a session and access certain portions of your site, I would say it's not that big of a deal the passwords get encrypted.

But I would still encrypt anyway, it doesn't hurt, and you will learn about the process.

You could also explore AES and DES.

ANd like the user above said, let them re-set their passwords when needed, since you can't un-hash MD5.