Hi, If you're storing user password should you always md5 them? Is it legal to store the password as it was entered by the user?
It's generally not a good idea to store them unencrypted or un-hashed. As far as legality goes, it could be illegal if the passwords were being used as authentication for sensitive or financial information. In reality, it's a trust issue. If someone gained access to all of the password in a database, they probably have all the access that they need already. Administrators generally shouldn't have access to other people's passwords, because there's no reason to. The only person that should ever know a users password is that user.
Thanks for your reply. I think I will store encrypted passwords and just ask them to change their password if they forget it lol
To put more strength in the md5 hashing use a different salt for every user and store this with the useracount, otherwise rainbow table could be used to reverse engineer the passwords used when someone has read acces to this table. Use a search engine to find out more about md5 and salt