Database encryption. RFC.

Stinger51

I recently signed up for a newsletter and received an email notifying me of my subscription. It also told me not to forget my password, as it was now encrypted in their database and they could not retrieve it for me.

In general, how important is encryption of database data? How secure is MySQL without encrypting one's data? Or is encryption mostly a waste of time? Do I want to be bothered running my de-encryption algorithm anytime somebody calls me up and tells me they forgot their password. Or should I just not bother encrypting such data, so I can view it directly in the DB and give it to them?

Just food for thot.

Azala

I encrypt passwords only so that incase some webhost company feels like peeking inside the user table they won't be able to read it and then log in using the info.

Of course they could change it to whatever, but then we would know it was tampered with, and as such start an investigation.

I always design my sites with a fully automatic password system. On user account creation, a password is automatically generated, encrypted and put into the DB, the user also gets an email with user/pass info. On the login page there is a 'I forgot my password' link which will eventually automatically create another password for the user. This way you as the programmer/administrator would never have to deal with password issues. Also, by having it automatically generated, you create more secure passwords, as users tend to select crappy passwords. Some clients will always complain about the passwords being too hard, but in such cases I always tell them i'm not willing to risk you having an easy password and putting the system at risk and they usually accept that.

Sxooter

The real issue of encryption isn't so much WHETHER or not data is encrypted (or hashed, as technically a password encryption is usually a one way hash and considered unrecoverable). The real issue is how and where the data are encrypted.

For instance, you can use a loop back mounted partition that's encrypted, which requires a passphrase and possibly a CD, usb dongle, or floppy with the key to be inserted on bootup to mount the partition. This helps ensure against the drive or machine being stolen, but doesn't stop people with db access from getting the data. Or you can do it on the front end server and pass the encrypted data back to the db server that way.

Or, you could put a 2 key system in place, where the db has the encryption key on input, but can't decrypt it, and the application has the other half of the key, so it can decrypt the data when it's been retrieved.

Generally speaking, passwords and financial data should always be encrypted in some way, but if your process is full of holes, then it's just for show. Gotta do security surveys and see what you're trying to accomplish before you start encrypting things if you want it to be useful.