locked
Which data to encrypt RRS feed

  • Question

  • User2146470223 posted

    Hi,

    Sorry if this might already have been asked but I cannot find anything as I always the tons of results about encryption in general.

    Which data (table rows) should generally be encrypted. I guess encrypting 100% of the tables is nonsense. At the moment all my tables with customer relevant data (address, phone number, vat number, mail address, password, …) are encrypted. Did I forget something?

    Is there are tutorial about kind of data what must be, what should be and what does not need to be encrypted?

    I guess product descriptions and/or similar data would not need encryption.

    DB backups should/must be encrypted.

    Thanks,

    Pascal

    Monday, April 11, 2016 1:55 PM

Answers

  • User-821857111 posted

    Encryption is a two way process. Data that is encrypted must be capable of being decrypted.

    Hashing is a one-way process. There is no need for you to know the passwords that your customers have provided, so you should store a hashed version of them. You might think that it would be impossible to match an incoming password from someone who is attempting to login to scrambled (hashed) versions that you have stored in your database, but what you actually do is hash the incoming password and compare that to the stored hashes. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 11, 2016 3:55 PM
  • User-821857111 posted

    Company names and addresses in some contexts are a valuable asset, but they might not be in other contexts. Therefore there is unlikely to be specific advice on the data you should protect. The business should decide what is commercially valuable to them, and then you can implement your security measures based on the customer needs.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 20, 2016 8:37 AM

All replies

  • User-821857111 posted

    I don't know if there are laws that cover encryption of data in certain circumstances and if so, to which territories they apply, but you should never under any circumstances encrypt passwords. You should hash them instead.

    Monday, April 11, 2016 2:25 PM
  • User2146470223 posted

    Hi Mike,

    Can you elaborate this a bit more? Or is it simply because encryption (in this case) randomized would be too easy to decypher?

    Monday, April 11, 2016 2:36 PM
  • User-821857111 posted

    Encryption is a two way process. Data that is encrypted must be capable of being decrypted.

    Hashing is a one-way process. There is no need for you to know the passwords that your customers have provided, so you should store a hashed version of them. You might think that it would be impossible to match an incoming password from someone who is attempting to login to scrambled (hashed) versions that you have stored in your database, but what you actually do is hash the incoming password and compare that to the stored hashes. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 11, 2016 3:55 PM
  • User2146470223 posted

    ok for hashing passwords but what about the initial question? ;)

    Tuesday, April 19, 2016 10:58 PM
  • User-821857111 posted

    Personally, I don't find the need to encrypt any data stored in the database. If the wrong people have access to your database, encrypted or otherwise, I suggest you have much bigger problems to worry about.

    Wednesday, April 20, 2016 6:22 AM
  • User2146470223 posted

    Yes, I agree with you in that point but still I just want to be on the safe side for the worst case scenario. ;) You never know what happens and as it is for a company too hacking from external or internal resources can never be excluded.

    Wednesday, April 20, 2016 8:20 AM
  • User-821857111 posted

    Company names and addresses in some contexts are a valuable asset, but they might not be in other contexts. Therefore there is unlikely to be specific advice on the data you should protect. The business should decide what is commercially valuable to them, and then you can implement your security measures based on the customer needs.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 20, 2016 8:37 AM
  • User2146470223 posted

    Ok, yes, that's then pretty much what I thought too. Thanks

    Wednesday, April 27, 2016 10:37 PM