Of course, dealing with passwords properly on the server is only one side of the story.
If the connection between client and server is not secure, then an attacker could intercept a user's password as it travels in plaintext from client to server. And if a user's login persists by the use of a cookie, an attacker could impersonate a logged-in user by using their cookie, after intercepting it as it is sent in plaintext in every request from client to server.
4 comments
[ 2.6 ms ] story [ 19.6 ms ] threadhttp://en.wikipedia.org/wiki/Key_strengthening
If the connection between client and server is not secure, then an attacker could intercept a user's password as it travels in plaintext from client to server. And if a user's login persists by the use of a cookie, an attacker could impersonate a logged-in user by using their cookie, after intercepting it as it is sent in plaintext in every request from client to server.