Storing passwords as plain text

[whitedragon101]

I have a mysql database that allows a customer to view an order they have made. The usernames and passwords only allow a customer to view but not change anything.
At the moment the passwords are stored as plain text. I have seen many security articles saying this is bad and that should someone crack into your database they can steal all your passwords. My problem is I'm confused, but it seems and correct me if I'm wrong (which is why I'm asking ) :

If someone breaks into my database then the only use of a password is to log into the system and see a users information. However if they have access to the database they already have access to the users information.

Basically:

1) Text passwords + Cracker gains access to database = user data stolen
2) Encrypted passwords + Cracker gains access to database = user data stolen

Is there any point hashing the passwords?

[egami]

Well, if you're using authentication it should be over SSL.
But, in the case that you can't use SSL, then passing user information over cleartext is all you can do.

This can be accessible from anyone on a wireless connection, anyone on the ISP from and to the source and destination.


However, putting passwords in the DB will prevent that cracker from getting that users passwords and using them on other sites where they might be using the same password.

It's about ethics more than just security.

-B

[egami]

$password = md5($_REQUEST['password']); is the simplest form of encryption, but you can use seeds and other things to make it even more complicated.

I typically will use a random seed for the website, and append it to or prepend it to the password just to confuse any outsiders.

md5 password encryption along with another md5 seed attached together = good enough for government work.

-B