Avatar of jdc1944
jdc1944
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Encrypting passwords – What’s the point?

It’s Friday, I’ve had a long week and something has just popped into my head that I really should be able to answer, but I can’t!  It’s probably a very stupid question.

You have a finance or HR system in your business, perhaps based on an Oracle or SQL database.  A decision is made, like most places I presume, not to encrypt the entire database, however users passwords are stored encrypted (in whatever way that may be).  What’s the point behind this?  What I’m questioning is if an attacker can get access to that database file can they not get access to all the other data they need and there for not require all the passwords?

Perhaps what I’m missing is a better understanding of how an attack may happen on a database or how databases work.  The only thing I can think of is that an SQL/Oracle etc. database isn’t a flat file so you can’t just open it in a notepad and view data.  You will have to load/connect to it via an SQL Server where you will have to authenticate.  Then what?  You manage to compromise/guess an account username and password.  This gives you access to the database and therefore the data you want.  You’ve got access so why do you need the remaining passwords?  What’s so valuable about the passwords when the system may hold bank account details that may not be encrypted?

One of the only uses I can think of is you compromise an account in the database so you can view data but what are you going to do with it.  Isn’t the point you then compromise other accounts so that you can log into the databases application and run fraudulent transactions through the system?
DatabasesEncryptionCyber SecuritySQL

Avatar of undefined
Last Comment
jdc1944

8/22/2022 - Mon
Éric Moreau

Humans are lazy (I know I am human!). People tends to reuse the same password over and over again. So if your password are clear text and a cyber-attacker grabs them, chances are they will be able to connect to other service from the web for those users.
Pawan Kumar

If you are using Passwords in DB then it is a very good idea to encrypt then so that other people cannot login in to the Db and see your password. People can also misuse your password as they can see that as a clear text. So it is very good and necessary thing.

Apart from this people also encrypt Salary and other important information.

Good luck
Jeffrey Dake

Also it is usually a good idea to use a one way encryption algorithm on passwords. Since lots of users tend to reuse passwords this adds an extra layer of security to a user. There is really know reason for an application to ever know the actual password. Just if the two encryptions match.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
Pavel Celba

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
John

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold

I think the confusion starts in the understanding of what the purpose of db encryption.

The db encryption deals with securing the data from being taken. Direct access to the server, is needed.
I.e. Boot system using alternate boot media, locate the database files, copy them out.
Attach them on another server...... If encrypted, this type person will not have access to the db data without the master key/certificate.

Several explained why user passwords are encrypted.
One of them is a way to avoid having an inside person accessing and disclosing other user's credentials.
I.e. Person A has rights to manage access the data, list the user/password. Either use other's credentials todo .... Or sale ..
...
John

I don't think the question was bout database encryption, merely the encryption of the contents of the password (and maybe username) columns
SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Olaf Doschke

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jeffrey Dake

Another great reason to encrypt a password in a database with a one way hash is can help protect users passwords from people who do have access to your database. It kind of protects your company from itself. You don't have to worry about a disgruntled employee or someone exporting passwords not thinking they are doing anything that could be stolen.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
jdc1944

ASKER
Thanks for everyone's input