Fantastic book. The best programming book I’ve read since I read the first Programming Ruby book. Kudos!
With that said, one thing in the book confused me a little bit. The way passwords were handled using the hashing mechanism to prevent storing the plain text password. I think I understand the theory behind doing that – is it just so the user’s password isn’t stored in plain text in the application’s database? I don’t understand how that makes the application more secure.. If anyone was going to steal the password with some sort of man-in-the-middle attack then they could still do that since the password is sent in to the application as plain text.
Exactly what are the real security benefits? If the application’s database is compromised I guess there is a little bit of benefit in not having the user passwords available to the cracker but I would assume that the password is going to be the least important piece of information at that point. After all, if they have the database then they have everything the password was protecting in the first place.