Many database administrators believe that by encrypting their customers’ passwords they protect them properly against potential malicious operations, but security expert Javvad Malik reveals that these practices are not the best way to secure a password.He released a great video in which he demonstrated, in easy terms, the difference between encrypting a password and hashing it.
If encrypted, a password is still accessible to the administrator, which means that if someone obtains administrative rights over a database, he could access the precious string that safeguards the user’s account.
This is why hashing is recommended, preferably using one of the stronger SHA cryptographic hashing family functions and avoiding MD5 which has become increasingly vulnerable to attacks over the past few years.
Furthermore, to make the hash even more unbreakable, system administrators should add salt to it. By adding a different salt to each hash, the password would become extremely hard to crack, making it impossible for cybercriminals to obtain it.