Narphet wrote:So what's the point of encrypting passwords?
If you really need something to be secure from prying eyes, you'll need to do something like TLS that encrypts everything. It's not then a mere matter of monitoring traffic, because each side negotiates a key for the other to encrypt traffic with, and only the destination (without some strange exploit) would be able to decrypt it.
So doing that, there's no hash or plaintext password visible at all to an attacker.
Otherwise, encrypting passwords can have the effect of not being as easily grepped for in network traffic. I think that altering traffic from containing any sort of key/value pair of the password/value would be a good idea just so anyone listening wouldn't immediately be tipped off to it were they to grep for 'password' on a dump of sniffed traffic. It's just basic obfuscation though and not real security.
"I'm going to get into your sister. I'm going to get my hands on your daughter."