Plenty of Fish Hacked: Sloppy security
Just heard that the biggest free dating site in North America, Plenty of Fish, has been hacked. There seems to be some drama behind it as there are stories about an extortion attempt but what interested me was the claim that PoF stores user passwords as plaintext! This is never a good idea. While you’re at it sending user input to the server as plaintext is also a bad idea, use SSL.
To safely store passwords: you don’t store passwords. Instead, a hash of the password is stored. This way, the server doesn’t actually know what the passwords are. When you want to verify the passwords run it through the same hash function and compare with what you have in your database. Caveat: Don’t use an optimized general hash function because then it can be brute-forced; use one that can be configured to run slowly.
Solution: user bcrypt
P.S. Encryption isn’t the best solution here because all it takes is for your encryption key to be comprised to open the flood gates.