buybuy
asked on
Is it REALLY necessary to encrypt Password
Hi...
I would like to know how useful it is to encrypt password and store it in DB. And decrypt it when I need it. My question is: Is it REALLY necessary to encrypt the password? I know it will be useful and more secure. However, what I really want to know is how much more secure will that be as compare to without encryption?
Perhaps if I put it this way, as question:
Is it REALLY necessary to encrypt password?
A. NO. Forget it! It is useless. Don't waste time!
B. It does not matter. It is good to encrypt it but without encryption, it is OK too! No big deal!
C. Yes. Encrypt it! You can't live without encryption! You must encrypt it!
I would hope the answer is B. Then I might just leave it as it is for now. However, if EXPERTS say C, then I will have to go for it.
Thanks in advance. :)
Regards,
I would like to know how useful it is to encrypt password and store it in DB. And decrypt it when I need it. My question is: Is it REALLY necessary to encrypt the password? I know it will be useful and more secure. However, what I really want to know is how much more secure will that be as compare to without encryption?
Perhaps if I put it this way, as question:
Is it REALLY necessary to encrypt password?
A. NO. Forget it! It is useless. Don't waste time!
B. It does not matter. It is good to encrypt it but without encryption, it is OK too! No big deal!
C. Yes. Encrypt it! You can't live without encryption! You must encrypt it!
I would hope the answer is B. Then I might just leave it as it is for now. However, if EXPERTS say C, then I will have to go for it.
Thanks in advance. :)
Regards,
Hi I'd say "C "
cos if someone can open ur DB tomorrow - he could read thru ur records & get detailed info like "PWD / CreditCard No .... etc"
so it it vital to encrypt it - yes u can live without it - but u may expose ur data if it falls into wrong hands ...
as if u have it encrypted - somebody can read the login name - but cannot get access to the pwd - so the information he gathers by opening ur DB would be insufficient .. same in the case of CREDITCARD no's...
so depends on u - how u look at it.
if u need more security - i'd suggest encrypt it
let me know
K'Rgds
Anand
cos if someone can open ur DB tomorrow - he could read thru ur records & get detailed info like "PWD / CreditCard No .... etc"
so it it vital to encrypt it - yes u can live without it - but u may expose ur data if it falls into wrong hands ...
as if u have it encrypted - somebody can read the login name - but cannot get access to the pwd - so the information he gathers by opening ur DB would be insufficient .. same in the case of CREDITCARD no's...
so depends on u - how u look at it.
if u need more security - i'd suggest encrypt it
let me know
K'Rgds
Anand
ASKER
Anand,
First of all, what do you mean by open ur DB? Are you saying that someone gets hold of my DB file? If that is the case, there is no point of encrypting the password also unless I encrypt everything. For example, if someone gets hold of my DB file, he can just change all password to, say, "testing", whether the password field is encrypted or not. Then, he can just use "testing" to view all info.
My DB and web are hosted in someone else's server. Therefore, not much security in a way that the administrator will always be able to do some damages. I can't do much about it unless... encrypt everything which might not be very useful also as the administrator can always decrypt it using my coldfusion code. Therefore, I can't worry about that part.
Secondly, I accepted your answer and will give you points for that. ;) But you should not lock it as I would like to seek opinion from other EXPERTS. I will reject it first. :P
Thanks and regards,
First of all, what do you mean by open ur DB? Are you saying that someone gets hold of my DB file? If that is the case, there is no point of encrypting the password also unless I encrypt everything. For example, if someone gets hold of my DB file, he can just change all password to, say, "testing", whether the password field is encrypted or not. Then, he can just use "testing" to view all info.
My DB and web are hosted in someone else's server. Therefore, not much security in a way that the administrator will always be able to do some damages. I can't do much about it unless... encrypt everything which might not be very useful also as the administrator can always decrypt it using my coldfusion code. Therefore, I can't worry about that part.
Secondly, I accepted your answer and will give you points for that. ;) But you should not lock it as I would like to seek opinion from other EXPERTS. I will reject it first. :P
Thanks and regards,
I meant if somebody opens up ur tables - he cannot view the important information "like Pwd / creditcard no etc"
& since ur are encrypting while inserting & decrypting while accessing the pwd - no body can change the encrypted pwd to "testing" as when ur code tries to decrypt it - it will throw a error - ... getting it ???
rest depends on how u look at things & the requirement ...
take care
K'Rgds
Anand
& since ur are encrypting while inserting & decrypting while accessing the pwd - no body can change the encrypted pwd to "testing" as when ur code tries to decrypt it - it will throw a error - ... getting it ???
rest depends on how u look at things & the requirement ...
take care
K'Rgds
Anand
hello,
there are more than 3 answers (a, b, c) i say
e: more security is better. if you can add some extra security then do it.
but what is it that you want to secure, and what would be the worst thing to happen if someone unauthorised accessed it?
if i am storing credit card numbers then you can kiss your business goodbye if anyone ever gets a hold of them.
if the password allows access to see some system logs - well, so what, and who would bother anyway?
so really the correct answer is "f: it depends"
cheers.
there are more than 3 answers (a, b, c) i say
e: more security is better. if you can add some extra security then do it.
but what is it that you want to secure, and what would be the worst thing to happen if someone unauthorised accessed it?
if i am storing credit card numbers then you can kiss your business goodbye if anyone ever gets a hold of them.
if the password allows access to see some system logs - well, so what, and who would bother anyway?
so really the correct answer is "f: it depends"
cheers.
ASKER
Hi...
Ok. I don't have credit card stuff. So that is good. :)
However, without using encryption, how unsecure will that be? How easy to get hold of "password" without encryption? If anybody can do that (using some kind of program from hacker sites), then it is a big problem. If only a few so called hackers can do that, then I think i am ok since I don't have critical data that deals with $$$. Perhaps some of you experts know how to do that? :p
Regards,
Ok. I don't have credit card stuff. So that is good. :)
However, without using encryption, how unsecure will that be? How easy to get hold of "password" without encryption? If anybody can do that (using some kind of program from hacker sites), then it is a big problem. If only a few so called hackers can do that, then I think i am ok since I don't have critical data that deals with $$$. Perhaps some of you experts know how to do that? :p
Regards,
oops
like meverest way, if you have any critical data, please go for https, and when you create the certificate provide more unique information when generating the certificate.
regarding the code, use any other algorithm that cannot be hacked other than cfencrypt
cheers.
like meverest way, if you have any critical data, please go for https, and when you create the certificate provide more unique information when generating the certificate.
regarding the code, use any other algorithm that cannot be hacked other than cfencrypt
cheers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot, guys. Great feedbacks. I appreciate all your help.
And, where can I find those algorithms? :)
Warmest regards,
Lai
And, where can I find those algorithms? :)
Warmest regards,
Lai
Hi,
you'll find plenty of hits by searching google for non-reversible encryption.
you migth want to start with ND5, SHA and/or SHA1 checksums - a few database servers even support these as internal functions, so you don't even need to do the processing yourself, eg (mySQL):
select userID from users where username='<user>' and password=MD5('<password>')
cheers.
you'll find plenty of hits by searching google for non-reversible encryption.
you migth want to start with ND5, SHA and/or SHA1 checksums - a few database servers even support these as internal functions, so you don't even need to do the processing yourself, eg (mySQL):
select userID from users where username='<user>' and password=MD5('<password>')
cheers.
ASKER
Great! Thanks again.
Cheers.
Cheers.
But for personal, i always not encrypt any password fields in my applicaton. However, encryption may need to implement if your data contains any confidenfial information, and it's really depends on the user requirement and type of web side we use.