neilmasters wrote:im curious as to what encryption methods you use for storing sensitive data. Specifically what I am referring to is passwords within a mysql database.
So, you are trying to prevent an attacker who succeeds in compromising the database from using those passwords to say, login to other online accounts of users who reuse passwords?
I'm curious as to whether you need to provide a password retrieval mechanism for your users, or if a "set new password" scheme will suffice. For the former, you really do need encryption, but then you have the problem of storing the secret key such that it will not be compromised along with the rest of the database. For the latter, I suggest using a cryptographic hash algorithm along with a user specific salt. The important factors to look at would be preimage resistance and computation time (i.e., the slower the better to delay brute force attacks).
Besides the storage of passwords, look into the transmission of passwords, e.g., the use of SSL/TLS.
