tags:

views:

96

answers:

4
+1  Q: 

Obfuscate database table names

We're about to undergo a project where we'll be handling highly sensitive data. Apart from encrypting the data I was thinking about obfuscating the table names.

So tEmployees would become t58633B7A for example. Would this be a useful to add? after all it's about building layers of security/prevention.

P.S. We'll map the obfuscated table names to the real names in our Data Access Layer

+13  A: 

This seems entirely superfluous. If an attacker has gained access to the database, then simply not knowing the table name is little protection in the grand scheme of things. You should spend your time, if anything, on better intrusion detection and protection mechanisms.

Joel Martinez  2010-02-11 18:04:09
+1: Just have to look at foreign keys/etc to see relationships. If someone has DB account access, you have ***bigger*** problems
OMG Ponies  2010-02-11 18:10:02
It would be trivial to rename the tables to whatever you want. If you see a column with data like 'Kevin', 'Bill', 'Judith', you're going to immediately guess it's a first name field. Effort is better expended in securing the database and all replicas so as to avoid leaking data in the first place. A lot of people secure the database server but forget to lock down back-up copies as diligently, for example.
tadman  2010-02-11 18:28:27
+2  A: 

I would say it's probably a waste of time. If someone can hack your program enough that is has access to your database, then your screwed anyway and this hacker will figure out your silly obfuscation scheme in a heartbeat.

Earlz  2010-02-11 18:05:57
+5  A: 

Although you will hear over and over again that security through obscurity is bad, it does help raise the bar to attack, so long as you keep in mind that it is not a solution.

For your particular case, I would say that the cost of maintaining, debugging, troubleshooting your database will outweigh the benefits from the tiny amount of perceived security.

0xfe  2010-02-11 18:06:21
+3  A: 

What a complete waste of time.

Well, not really..... it does have the feature of scaring away actual talent during interviews, and might get you a mention on TheDailyWTF.

Eric H.  2010-02-11 18:12:26
+1 because you made me chuckle
Earlz  2010-02-11 18:15:18

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?