Everything that I've read about CC numbers is that you're not supposed to store them unencrypted on a network-accessible server. Preferably you don't store them on a network-accessible server at all. The reason is that if your security gets cracked, you are SOL, but the people who trust you might not be. However, if you don't encrypt the data, then all those people are hosed as well, and that's not a good way to get someone to trust you in the future.
Same argument applies for passwords, although to a much lesser degree. approx 100% of the population (the exception being security freaks and some sysadmins) uses the same password for everything, so getting one password comprimised means having all your passwords compromised. My vote is encrypt everything that is sensitive, because you never know, and it's not like it adds much of a burden on you the programmer. If you're doing two-way encryption, make sure you use some sort of means to secure the encryption key, because if someone steals your DB with encrypted passwords, the encryption isn't going to be worth anything if the key is in the 'app_settings' table. Putting it in the source code is also a bad idea. I don't know what a really good solution is, because both private and public keys must reside on the machine, but anything is better than nothing. > -----Original Message----- > From: Andy Ousterhout [mailto:[EMAIL PROTECTED] > Sent: Monday, February 24, 2003 3:56 PM > To: CF-Talk > Subject: RE: Password fields in MS SQL Server 2000 > > > If someone can get access to your DB and the password field, is > your problem > bigger than that they found out users passwords? I don't encrypt/hash > passwords now because of the perhaps mistaken view that if they can access > database fields outside of the control of my program then they can easily > break any scheme that I apply either through brute force or by finding the > appropriate code. I do password protect access to the database. > > Is this a good assumption/plan or should I also encrypt sensitive fields > such as PW and credit card numbers > > Andy > -----Original Message----- > From: Tilbrook, Peter [mailto:[EMAIL PROTECTED] > Sent: Monday, February 24, 2003 5:17 PM > To: CF-Talk > Subject: Password fields in MS SQL Server 2000 > > > Hi there, > > Just wondering if there is a setting in SQL Server to hide password fields > like in MS Access. > > At the moment the fields are just nvarchar which sort of defeats > the purpose > of having a password field in the database (even using SSL for > logging in). > > Thanks! > > == > Peter Tilbrook > Internet Applications Developer > Australian Building Codes Board > GPO Box 9839 > CANBERRA ACT 2601 > AUSTRALIA > > WWW: http://www.abcb.gov.au/ > E-Mail: [EMAIL PROTECTED] > Telephone: +61 (02) 6213 6731 > Mobile: 0439 401 823 > Facsimile: +61 (02) 6213 7287 > > > ********************************************************************** > The information contained in this e-mail, and any attachments to it, is > intended for the use of addressee and is confidential. If you are not > the intended recipient, you must not use, disclose, read, forward, copy or > retain any of the information. If you have received this e-mail in > error, please delete it and notify the sender by return e-mail or > telephone. > The Commonwealth does not warrant that any attachments are free from > viruses or any other defects. You assume all liability for any loss, > damage, or > other consequences which may arise from opening or using the attachments. > > ********************************************************************** > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
