Secure password storing • www.martinstoeckli.ch • 2/13

Why not simply write the passwords to the database?

Well why not, the passwords are in the database and only the application itself can display them? If somebody forgets his password, we could immediately send an e-mail containing the password.

  1. All people with access to the database, as well as the provider, can read and copy the passwords.
  2. Users often use the same password for different websites.
  3. The passwords appear in backups.
  4. Databases in a cloud, will distribute the passwords world wide.
  5. The passwords are vulnerable to SQL-injection attacks.