I don't understand encryption very well at all; in the past I've just trusted it, but if I'm writing a web application that will go online I think I should try to understand it better.
Here's my question:
Suppose I'm asked to type in my password to log in on any website. The password, or some function of it, must then be sent to the server so that the server can compare it to the encrypted password stored there.
Either the password is sent in plain text, in which case (I think) it isn't secure as somebody could intercept and read it (which is a Bad Thing), or it's sent in it's encrypted format, in which case somebody could intercept that and, even if they can't read the password, they could then pretend to be you by sending the encrypted string to the site, which wouldn't know any better. Similarly if the hacker gets a copy of the database, he would just be able to send of the encrypted password and gain privileges. This is also a Bad Thing.