Posted by Juha Suni on 01/02/06 16:56

> I store the user's password for an app in mysql in md5 encrypted form.
> Since php is run on the server, does this mean that the unencrypted
> password is actually passed over the net? I assume that it is the
> unencryted password that is used in the
> passwd -O $oldpassword -P $newpassword $username
> command.
>
> Assuming I am correct, wouldn't sending the bare password over the net
> pose a security breach? If so, how do all those web apps secure
> things?

By using SSL and thus encrypting all traffic between the client and the
server.

--
Suni

[Back to original message]