Encrypting data in the database

[David Thielen]

Hi;

We are storing usernames & passwords in our portal's database. Is there an
advantage to encrypting the data in the database?

At first I was thinking there is no advantage because the connection string
and the decryption key are both in the Web.Config file (encrypted) and so if
one can be decrypted, the other can too.

But then I was thinking what if person A knows the connection string, person
B knows the decryption key, and person C is the only one who can log in to
the server and places the encrypted Web.Config entries.

Does this make things more secure or just more complicated?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Luke Zhang [MSFT]]

Hello Dave,

I think it is necessary to also encrypt the password in the database, A sql
server may have multiple administrator and used by multiple applications.
Even we can confirm that our ASP.NET application is security enough, but we
cannot ensure other applications running with the SQL server is safe, so
the db admin's permission is still able to be leak. Especially, your system
store very important information and require strong security.

In .NET application we can encrypt data with DESCryptoServiceProvider:

http://msdn2.microsoft.com/en-us/library/system.security.cryptography.descry
ptoserviceprovider.aspx

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Henning Krause [MVP - Exchange]]

Hello,

instead of encrypting the passwords, you should consider storing only a
hashed and salted version of the password, if it's possible in your
solution. See http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/
for more information.

Best regards,
Henning Krause