Plain text password column

[SteveHi]

Hello

I have a small Web site that I am still testing and that uses a MS Access database and a 'register new user' and 'log-in' page. The database consists of a table in which there are columns for 'username', 'email' and 'password'.

The 'register new user' and 'log-in' pages work in that the user's details are successfully inserted into the database. In the 'password' column, passwords are stored in plain text which I have simply invented while testing, such as cat, bird, etc.

I am now proposing to salt and hash these plain text passwords, and have created two extra columns in my table" 'hash' and 'salt'. When I have the salt and hash code working for both the 'register new user' and 'log-in' pages, can I delete my current plain text 'password' column?

Thank you.

 

[gemma-the-husky]

Clearly if your code to translate the user password from plaintext to encrypted text works, then you can drop the plaintext.

 

[sneuberg]

If you don't keep the plain text then you won't be able to tell the users what their passwords were if they forget. But if you keep the plain text then there's not much point in having the hashed version.

 

[SteveHi]

Thanks to you both for your replies.

If a user forgets his password sneuberg, he has the chance to reset it. The problem with having passwords stored in plain text is that a hacker could easily log-in to that account.

Thanks again.