encrypting everything

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

encrypting everything

Post by yacahuma »

I just read in cnet that a company was suit because a hacker was able to steal emails and passwords (using sql injection). They argue that the email should have been encrypted. I understand password being encrypted and data like ssn. But emails? Every piece of data could be consider important, the name, the phone, address, etc? Are you guys encrypting everything now a days?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: encrypting everything

Post by Apollo »

No, I rather make sure I'm not vulnerable to injections in the first place :)

(And as for encrypting passwords: you shouldn't store passwords at all, just hashes)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: encrypting everything

Post by pickle »

I never store passwords, and everything else is plaintext.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Re: encrypting everything

Post by Bill H »

User: I forgot my password.
Me: Okay.
User: Can you tell me what it is?
Me: No. I can reset it to "foobash" for you.
User: I don't want that one, I want it to be what it was.
Me: You forgot what it was.
User: But I want you to tell me what it was.
Me: I don't know what it was.
User: But can't you find out?
Me: No, it's your password, not mine.
User: But if you make it "foobash" you'll know what it is.
Me: Only until you use it to get in and change it to something that I don't know.
User: But what if I forget it again?
Me: Then I'll reset it to "foobash" again.
User: You still won't be able to tell me what it is?

Some people just don't understand this whole encryption thing.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Re: encrypting everything

Post by jason »

To be fair, this a distinct difference between hashing and encrypting. You can get a persons password back if you merely encrypt it. Credit card numbers are stored encrypted. They can be unencrypted.

However, there comes a point in time when you have to weigh convenience with security. I know we all like to say that security is the most important thing, but then the reality is, we would really be encrypting everything. Of course, this is not really feasible.

Consider if you encrypted users data to their username and password. Now, you are smart and build in the ability to change the data when the user changes his password. But what happens to the users data when they forget their password?

Encryption really is security through obscurity. It's hiding the data with a password. That's really all it's doing. If someone get's access to data that is encrypted, the encryption isn't some magical protection. The data is reversible. Even more so, if the person gets access to your database AND your server, they can most likely find your encryption method, and reverse it to decrypt everything.

Okay, so I've babbled. Anyways, the point is simple. Protecting user data is important, but encryption is merely a reasonable protective measure for highly sensitive data. There is a reason there is a lot more to credit card processing then merely encrypting the data you store. Best practices, security policies, secure data transfer, patched and up-to-date software: all these things are critical.

Just something to think about.
Post Reply