[byrandomby1]

Why should account passwords be hashed (in database)?

Reasons I can think of:
Database admins (or hackers) won't know the passwords

Is there any other reason?

[Dormilich]

ain’t that enough for a reason?

[JackOfAllTrades]

They should not only be hashed, but salted and hashed.

[macosxnerd101]

A hash, unlike encryption, isn't reversible. So even if someone sees the hash, they cannot reverse engineer the password. Think of a hash like a math function, so hash(password). If someone intercepts the hash and tries to login with it, the hash will be rehashed. So hash(hash(password)) != hash(password).

[sharmani909]

A first thing to note is that there are many people who talk about encrypted passwords but really mean hashed passwords. An encrypted password is like anything else which has been encrypted: it has been rendered unreadable through a process which used an extra piece of secret data (the key) and which can be reversed with knowledge of the same key (or of a distinct, mathematically related key, in the case of asymmetric encryption). For password hashing, on the other hand, there is no key. The hashing process is like a meat grinder: there is no key, everybody can operate it, but there is no way to get your cow back in full moo-ing state. Whereas encryption would be akin to locking the cow in a stable. Cryptographic hash functions are functions which anybody can compute, efficiently, over arbitrary inputs. They are deterministic (same input yields same output, for everybody).

In shorter words: if MD5 or SHA-1 is involved, this is password hashing, not password encryption. Let’s use the correct term.

Once hashed, the password is still quite useful, because even though the hashing process is not reversible, the output still contains the “essence” of the hashed password and two distinct passwords will yield, with very high probability (i.e. always, in practice), two distinct hashed values (that’s because we are talking about cryptographic hash function, not the other kind). And the hash function is deterministic, so you can always rehash a putative password and see if the result is equal to a given hash value. Thus, a hashed password is sufficient to verify whether a given password is correct or not.

This still does not tell us why we would hash a password, only that hashing a password does not forfeit the intended usage of authenticating users.

This post has been edited by Dormilich: 24 February 2013 - 11:22 PM
Reason for edit:: Removed spam links

[no2pencil]

sharmani909, on 25 February 2013 - 12:28 AM, said:

A first thing to note is that there are many people who talk about encrypted passwords but really mean hashed passwords.

To be fair, the op never used the word 'encrypted'. The encrypted vs hashed discussion isn't really valid here, imo.