I have recently installed and am learning the use of mod_auth_mysql. For a simple subscription based website or in my case - a fire deparment members only section - is it important to encrypt passwords. For programing sake, I think it would be easier having them in plain text in the database (easier to verify and update), but I figured I'd ask.

In what instance would encryption be necessary using mod_auth_mysql with a website?

If you ever allow users to write their own queries, you would definitely want to store the password data in an encrypted form. Better yet, you might consider storing the site specific (system) data in one database, and the application (user) data in a different database.

If you have any HIPPA protected data for your EMTs, that needs special security. If you have any Sarbanes-Oxley protected data (probably for budgeting and related activities), that needs special security too.

The business of deciding what needs to be protected, and how that protection needs to be done is a complex bag of worms. You probably want to talk to somebody in the governmental group that provides funding/oversight to get some guidance from them on these issues.

-PatP

Thanks Pat,

You brought up some really great examples that I will be using in a future project for the Mississippi State Fire inspectors website, part of which would contain sensitive information that would need to be password protected.

The project I'm currently working on is for my local Fire Department of which I am a member. There is relatively little sensitive information other than personal contact information so that FD members can get other FD members phone and addresses through a secured section.

Fortunately (or unfortunately depending on how I look at it) there is no one else that will be writing any queries to any SQL databases in either instance. I appreciate your insight and when we (read I) start working on the State Fire Inspectors site I will take extra precautions to insure it is secure.