Hardly. The SQL injection may have occurred with a limited-access SQL user. The encryption algorithm might be strong enough to give you years or decades of protection against brute forcing. etc. etc. etc.
> Don't store reversably encrypted passwords: full stop.
Absolutely. I'm just pointing out that "there's no difference between plaintext and reversibly encrypted passwords" is a blatant lie.
You already responded to the comment where I said it's possible to rig up a database so that your app server might survive SQLI, so let me just wrap this unproductive little thread up by saying: I don't believe you. If I see you mailing user passwords back to users, I will bet on SQLI losing all those passwords every time, at any odds.
Nerds like us are always going to come up with some twister counterfactual scenario where someone somewhere could do something unexpected. I don't care. None of this is relevant to the issue at hand. This company probably isn't even encrypting passwords, but whether they do or they don't: if they get owned up, they're losing all of them.
Hardly. The SQL injection may have occurred with a limited-access SQL user. The encryption algorithm might be strong enough to give you years or decades of protection against brute forcing. etc. etc. etc.
> Don't store reversably encrypted passwords: full stop.
Absolutely. I'm just pointing out that "there's no difference between plaintext and reversibly encrypted passwords" is a blatant lie.