I am developing a Flex app with a Zend Framework backend using Zend_Amf, Zend_Auth, and Zend_Acl. The application will use RemoteObjects with HTTPS endpoints.
Do I need to be concerned with encrypting users' passwords, or will the SSL protect all information?
I haven't been able to find a secure method of transmitting passwords that isn't vulnerable at some point:
1) If using salts that are stored, the salt must be hard-coded in the client (Flex) and stored somewhere on the server. Drawback: Flex apps can be reverse-engineered, and the salt can be retrieved.
2) If using dynamic salts, they must be requested and somehow transmitted to the client. If anyone can request a salt, what is to prevent a hacker from doing the same?
3) Using one-way encryption without a salt is just like sending the password - once the hacker guesses the encrypted password, they can authenticate as well.
So then the question is, if using HTTPS, is it necessary to bother encrypting the login password at all?
Don't bother. The methods you described can be easily broken, where SSL cannot be broken in a practical amount of time to be a viable means of intrusion. If someone is after the data that badly, they will probably use some other method than breaking through your SSL.