If you store passwords plaintext in the database, a simple SQL injection can dump them out.
If you store passwords encrypted in the database, you need to get the code of the server software in order to extract the keys.
So at the end of the day, it depends on the probability of a complete server compromise vs. the probability of a successful SQL injection.
If you store passwords plaintext in the database, a simple SQL injection can dump them out.
If you store passwords encrypted in the database, you need to get the code of the server software in order to extract the keys.
So at the end of the day, it depends on the probability of a complete server compromise vs. the probability of a successful SQL injection.