I occasionally receive emails from people who have come across PHPCredlocker, and the question is usually the same - "Why are you storing passwords using reversible encryption?". Most emails are polite, some not so much, but they all have one thing in common - assuming that a commonly stated fact applies to all scenarios, and failing to apply a bit of simple logic that would tell them the answer - because that's the only way the system would work.
In this post, we'll be briefly looking at some of the ways in which you can store credentials, and which of them are appropriate to use (and when), in the context of building an application (web or otherwise).
I actually wrote a white-paper on this a good few years ago, but things have moved on considerably since then - Rainbow tables are no longer used, and it's now possible to cheaply use cloud services with GPUs available.
One thing that hasn't changed, however, is that you should always work on the basis that one day, somehow, an attacker will manage to get a copy of your database. At that point, how you've stored the credentials becomes very important (users re-use passwords, so it may not just be your system that gets compromised if the credentials are recovered).