12 upvotes, 2 direct replies (showing 2)
View submission: Reddit's Streak of Bad Luck Continues...
I don't really see what encryption gains you over hashing. Hashing is still safer and has much less liability (because there's no reasonable way for the site operator to back out the passwords, and even less, with a key, for hackers to do so without the code). Encryption, though it does have all sorts of obvious benefits over cleartext, allows for a constant-time means to back out the cleartext, which is automatically (to me) makes hashing worth the (infrequent) hassle of forgotten password shenanigans.
I thought hashing passwords was SoP these days.
Comment by milkk at 14/12/2006 at 20:02 UTC
4 upvotes, 0 direct replies
True. I was simply suggesting that being able to return your password doesn't always mean cleartext.
Comment by lemmikins at 14/12/2006 at 20:58 UTC
4 upvotes, 1 direct replies
I don't really see what encryption gains you over hashing. [...] Encryption, though it does have all sorts of obvious benefits over cleartext,
As far as passwords go, you can brute-force hashing as well -- you just compare the hashes. In fact, as it's not 1-to-1, you don't always have to guess the correct plaintext in order to get the same hash. Plus you still need some method for forgotten passwords.