It’s Friday, I’ve had a long week and something has just popped into my head that I really should be able to answer, but I can’t! It’s probably a very stupid question.
You have a finance or HR system in your business, perhaps based on an Oracle or SQL database. A decision is made, like most places I presume, not to encrypt the entire database, however users passwords are stored encrypted (in whatever way that may be). What’s the point behind this? What I’m questioning is if an attacker can get access to that database file can they not get access to all the other data they need and there for not require all the passwords?
Perhaps what I’m missing is a better understanding of how an attack may happen on a database or how databases work. The only thing I can think of is that an SQL/Oracle etc. database isn’t a flat file so you can’t just open it in a notepad and view data. You will have to load/connect to it via an SQL Server where you will have to authenticate. Then what? You manage to compromise/guess an account username and password. This gives you access to the database and therefore the data you want. You’ve got access so why do you need the remaining passwords? What’s so valuable about the passwords when the system may hold bank account details that may not be encrypted?
One of the only uses I can think of is you compromise an account in the database so you can view data but what are you going to do with it. Isn’t the point you then compromise other accounts so that you can log into the databases application and run fraudulent transactions through the system?