We help IT Professionals succeed at work.
Get Started

Encrypting passwords – What’s the point?

280 Views
Last Modified: 2017-11-08
It’s Friday, I’ve had a long week and something has just popped into my head that I really should be able to answer, but I can’t!  It’s probably a very stupid question.

You have a finance or HR system in your business, perhaps based on an Oracle or SQL database.  A decision is made, like most places I presume, not to encrypt the entire database, however users passwords are stored encrypted (in whatever way that may be).  What’s the point behind this?  What I’m questioning is if an attacker can get access to that database file can they not get access to all the other data they need and there for not require all the passwords?

Perhaps what I’m missing is a better understanding of how an attack may happen on a database or how databases work.  The only thing I can think of is that an SQL/Oracle etc. database isn’t a flat file so you can’t just open it in a notepad and view data.  You will have to load/connect to it via an SQL Server where you will have to authenticate.  Then what?  You manage to compromise/guess an account username and password.  This gives you access to the database and therefore the data you want.  You’ve got access so why do you need the remaining passwords?  What’s so valuable about the passwords when the system may hold bank account details that may not be encrypted?

One of the only uses I can think of is you compromise an account in the database so you can view data but what are you going to do with it.  Isn’t the point you then compromise other accounts so that you can log into the databases application and run fraudulent transactions through the system?
Comment
Watch Question
Commented:
This problem has been solved!
Unlock 4 Answers and 11 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE