I came across a system that is used by a company with which we are considering a partnership with a medium-sized project (for us, not for them).
They have a web service with which we will need to integrate.
My real understanding of the correct management of the username and password is that the username can be stored in clear text in the database. Each user must have a unique pseudo-random salt, which can also be stored in clear text. The text of their password must be combined with salt, and then this combined string can be hashed and stored in the database in the nvarchar field. As long as the passwords are sent to the website (or web service) via SSL , everything should be fine.
Feel free to delve into my understanding as stated above if I am wrong.
In any case, back to the topic. The WebService managed by this potential partner does not accept the username and password that I expected. Instead, it accepts two string fields named "Username" and "PasswordHash." The "PasswordHash" value that was provided to me really looks like a hash, and not just the value for the field with the wrong name.
It raises a red flag for me. I'm not sure why, but I feel uncomfortable sending a hashed password over the wire for some reason. From head to toe I can’t think of why it would be bad ... Technically, the hash is available in the database anyway. But it makes me nervous, and I'm not sure if there is a reason for this or if I'm just paranoid.
EDIT
I was confused by some comments below until I reread my post.
" - ( -) , ".
, , , "SSL". - "plaintext". .
Worst. . -.