[SOLVED] Is it ok to store unencrypted passwords in the database?

[limitphp]

I have a table named user.

It has a password field.

Is it ok to keep users passwords stored in there unencrypted?

 

Alot of sites like digg, and others will send you your original password to your email if you forget it.

They must be storing it unencrypted or know something that I don't know.

 

 

Thanks

 

[.josh]

They probably do store it in their db encrypted.  They probably just have a custom encryption algorithm that's reversible.  But they probably do that, instead of something non-reversible like md5 because they probably don't store any information that's sensitive enough to warrant it (like credit card numbers, etc...).  They probably figure that the convenience of just telling you your password is a fair trade off for the lesser security, given the lack of sensitivity in account info.

[flyhoney]

There is one way encryption like an MD5, but there are also ways to encrypt passwords so that they may be decrypted.  It just depends on the level of security you are going for.  If someone gains access to your database, if the passwords are one way encrypted, they are safer.  However, there are still things like rainbow tables that allow one way encryption to be decrypted.

[fj1200]

I'd always encrypt a password.  De-crypting is straight forward enough anyway.

 

EG - encrypt using SHA1

 

login: $SQL = "SELECT * FROM accounts WHERE username = $uname AND pword = SHA1($pword)";

 

For SHA1 you can also use MD5 - for me it's ok but I like to be a bit different.  Part of me doesn't like the feature of being sent a lost password - I'd much prefer they sent you the reminder question or else what others do and reset the password.

[The Little Guy]

encrypt it.

 

If the user forgot their password, make them change it to log back in.