> If someone can get access to your DB and the password > field, is your problem bigger than that they found out > users passwords? I don't encrypt/hash passwords now > because of the perhaps mistaken view that if they can > access database fields outside of the control of my > program then they can easily break any scheme that I > apply either through brute force or by finding the > appropriate code. I do password protect access to the > database. > > Is this a good assumption/plan or should I also encrypt > sensitive fields such as PW and credit card numbers
No, this is a very bad assumption. Yes, you should also encrypt any sensitive data whenever possible, or better yet, don't store the actual data at all. For example, it's not usually necessary to store passwords; you can instead store a hash of the password, and compare hashes when needed. Securing anything, whether a database or your house, is a matter of redundancy and layering. Just because I have a lock on the door doesn't mean I'll never need to use my shotgun. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
