Well, if they have _write_ access to your DB, you're up sh!t creek, no matter what.
Having said that, if you're going to store sensitive information, effort should be made to protect the privacy of that information. I find it mind boggling that people think to themselves "If someone _could_ have full access, the information is compromised. Therefore, I will not put _any_ effort into security, because someone _could_ have _full_ access. But I don't know how someone could get full access, and as such, I don't need to put in any security." Yikes. ----- Original Message ----- From: Andy Ousterhout <[EMAIL PROTECTED]> Date: Monday, February 24, 2003 4:55 pm Subject: RE: Password fields in MS SQL Server 2000 > If someone can get access to your DB and the password field, is > your problem > bigger than that they found out users passwords? I don't encrypt/hash > passwords now because of the perhaps mistaken view that if they > can access > database fields outside of the control of my program then they can > easilybreak any scheme that I apply either through brute force or > by finding the > appropriate code. I do password protect access to the database. > > Is this a good assumption/plan or should I also encrypt sensitive > fieldssuch as PW and credit card numbers > > Andy > -----Original Message----- > From: Tilbrook, Peter [mailto:[EMAIL PROTECTED] > Sent: Monday, February 24, 2003 5:17 PM > To: CF-Talk > Subject: Password fields in MS SQL Server 2000 > > > Hi there, > > Just wondering if there is a setting in SQL Server to hide > password fields > like in MS Access. > > At the moment the fields are just nvarchar which sort of defeats > the purpose > of having a password field in the database (even using SSL for > logging in). > > Thanks! > > == > Peter Tilbrook > Internet Applications Developer > Australian Building Codes Board > GPO Box 9839 > CANBERRA ACT 2601 > AUSTRALIA > > WWW: http://www.abcb.gov.au/ > E-Mail: [EMAIL PROTECTED] > Telephone: +61 (02) 6213 6731 > Mobile: 0439 401 823 > Facsimile: +61 (02) 6213 7287 > > > ********************************************************************** > The information contained in this e-mail, and any attachments to > it, is > intended for the use of addressee and is confidential. If you are not > the intended recipient, you must not use, disclose, read, forward, > copy or > retain any of the information. If you have received this e-mail in > error, please delete it and notify the sender by return e-mail or > telephone.The Commonwealth does not warrant that any attachments > are free from > viruses or any other defects. You assume all liability for any loss, > damage, or > other consequences which may arise from opening or using the > attachments. > ********************************************************************** > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
