tags:

views:

411

answers:

10
+9  Q: 

Why encrypt user passwords?

+16  A: 

Because, hashing passwords will protect it from attacks from inside the organization. This way people who have access to the database won't know the user's password.

People have a habit of using the same password over and over, and so if your database is accidentally compromised, your organization isn't the one that makes the user's other accounts comprised in other organizations. Now should people do this, no, but they do, and it's a lot easier to hash the passwords, than it is to explain to your customers why someone on the inside got a hold of the passwords and caused damage to several accounts in other systems not related to yours.

If you think that this reason is too exaggerated, you might want to know that it actually happened to Jeff Atwood, Stack Overflow creator. He described how the whole Stack Overflow was compromised in his blog post "I Just Logged In As You: How It Happened".

Edit:

To further answer you question, your other sensitive data should be encrypted as well. A lot of cyber attacts are inside jobs, and I hate to say it, but you have to be paranoid about who can see what information. Anything that you deem sensitive that you don't want people to know unless they are specifically authorized to see that data, should be encrypted in the database. You are right there are times when comparing what can be stolen the password isn't that much of a concern to you. The key is "to you". It is to other people, and should be protected along with the other sensitive data in the system.

Kevin  2010-07-09 13:36:38
+7  A: 

What if you have a SQL injection vulnerability, someone steals your database, and uses the usernames, email addresses, and plaintext passwords you have stored to login directly to your users email accounts, bank accounts, etc. Do you really want to take on that liability? Conversely, do YOU really want to take on the responsibility of being able to see your users passwords in plaintext?

Dolph  2010-07-09 13:37:25
+2  A: 

Because you don't want to fall into the design trap of sending unencrypted passwords, or thinking you can, since you won't have anything unencrypted to compare against, maybe.

unwind  2010-07-09 13:37:34
A: 

Usually a hash of the password is stored in a database not the raw original text. This is to ensure extra security for the user credentials for external attacks on the system. Comparison of hashes is done to verify the user credentials.

You may want to read more theory on why this is the approach followed inorder to understand it better. Wiki can be a start point for this.

Praveen S  2010-07-09 13:40:18
+5  A: 

Reasons:

  1. If someone (from inside or outside) will steal those passwords and publicly release them, you're doomed, you can instantly close your business.
  2. Some people use the same password for many services. If some "attacker" can access e-mail address and password, the easiest way is to try if that password also works for that e-mail account.

You don't want this happen.

If you can access someone elses e-mail account, you can request sending forgotten password from victim's various services etc.

dwich  2010-07-09 13:41:11
+3  A: 

For internal attacks, if I can remember 5 username/password combos, then go to a public terminal and access those accounts, it's less likely someone will notice the attack than if I used a work machine to directly edit the database or pull out large amounts of data while at work.

And as everyone else pointed out, since we all have a hundred or more places online that all want different passwords... many, many people just use the same password over and over and over again. If the Williams Widget Company loses your name, login, and password, and your bank has the same login and password, and it's tracked back that the Widget Company was who lost your password... there's some muddling of liability there.

Dean J  2010-07-09 13:41:41
A: 

When storing the password hash. Don't forget to salt it with something, so reverse lookup of the hash won't reveal the password. Yes, make it a long string before hashing.
I don't understand the last paragraph of the question. Sorry.

MattBianco  2010-07-09 13:52:18
The question does not ask *how* passwords should be encrypted. It asks *why* passwords should be encrypted.
Jeff  2010-07-09 13:58:39
A: 

Ok, I asked the question in a bad way. Let me rephrase this.

If someone breaks into this system, the fact that they have the user's passwords is one of the least of my concerns. I'll be encrypting passwords but in my humble opinion, the other data in the database is way more valuable. Assume that if an internal attacker has that data, they don't care about the passwords.

If nothing else in the database is encrypted and everything else in the database is what an attacker actually wants, did encrypting passwords actually solve anything?

Anonymous Coward  2010-07-09 14:10:08
With encrypted passwords they will only steal the data from this system, but with unencrypted passwords they can reuse passwords and access data on numerous other systems. That's the difference.
sharptooth  2010-07-09 14:13:50
To add more information to your question, use the comment system or edit your question. Please don't post an answer if it is not an actual answer. *Edit:* I just noticed you're posting under a different account, if that is even you. It'd be best to log back in with the account you used to post the question so that you can edit your question...
Jeff  2010-07-09 14:16:38
For some reason it logged me out of the previous account and I can't get back in. My anonymousness baffles even me. I've copied down the OpenID hash this time.The system I'm working on stores information which could be used for identity theft. Hence the worry about applying more security to passwords than content.
Anonymous Coward  2010-07-09 14:38:48
Not only the unencrypted pwd can be reused to access data on other systems, if the user uses the same passw; it can be used to access the very same system. And while the first "get the user-pass attack" could look as an attack and be discovered, next access with user-pass would look "normal" access. And if the "real" attack is not noticed, they can do harm more subtly and "covered"
ShinTakezou  2010-07-09 15:46:21
A: 

Confidentiality, integrity, authenticity, privacy... Remember your first security course, and try to count how many of theses are bypassed with your problem.

Four ? Well, it depends of a more specific view of the issue, but not far anyway :)

Toopiboum  2010-07-09 14:46:59
A: 

Also, you don't need to know the user password. Creating the the password hash on the client side is a good idea. Depending on your location there may be legal requirements when storing personal data and passwords.

Code Clown  2010-07-09 14:50:53

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL