Last post Apr 27, 2016 10:37 PM by Translating-IT
Apr 11, 2016 01:55 PM|Translating-it|LINK
Sorry if this might already have been asked but I cannot find anything as I always the tons of results about encryption in general.
Which data (table rows) should generally be encrypted. I guess encrypting 100% of the tables is nonsense. At the moment all my tables with customer relevant data (address, phone number, vat number, mail address, password, …) are encrypted. Did I forget something?
Is there are tutorial about kind of data what must be, what should be and what does not need to be encrypted?
I guess product descriptions and/or similar data would not need encryption.
DB backups should/must be encrypted.
Apr 11, 2016 02:25 PM|Mikesdotnetting|LINK
I don't know if there are laws that cover encryption of data in certain circumstances and if so, to which territories they apply, but you should never under any circumstances encrypt passwords. You should hash them instead.
Apr 11, 2016 02:36 PM|Translating-it|LINK
Can you elaborate this a bit more? Or is it simply because encryption (in this case) randomized would be too easy to decypher?
Apr 11, 2016 03:55 PM|Mikesdotnetting|LINK
Encryption is a two way process. Data that is encrypted must be capable of being decrypted.
Hashing is a one-way process. There is no need for you to know the passwords that your customers have provided, so you should store a hashed version of them. You might think that it would be impossible to match an incoming password from someone who is attempting
to login to scrambled (hashed) versions that you have stored in your database, but what you actually do is hash the incoming password and compare that to the stored hashes.
Apr 19, 2016 10:58 PM|Translating-it|LINK
ok for hashing passwords but what about the initial question? ;)
Apr 20, 2016 06:22 AM|Mikesdotnetting|LINK
Personally, I don't find the need to encrypt any data stored in the database. If the wrong people have access to your database, encrypted or otherwise, I suggest you have much bigger problems to worry about.
Apr 20, 2016 08:20 AM|Translating-it|LINK
Yes, I agree with you in that point but still I just want to be on the safe side for the worst case scenario. ;) You never know what happens and as it is for a company too hacking from external or internal resources can never be excluded.
Apr 20, 2016 08:37 AM|Mikesdotnetting|LINK
Company names and addresses in some contexts are a valuable asset, but they might not be in other contexts. Therefore there is unlikely to be specific advice on the data you should protect. The business should decide what is commercially valuable to them,
and then you can implement your security measures based on the customer needs.
Apr 27, 2016 10:37 PM|Translating-it|LINK
Ok, yes, that's then pretty much what I thought too. Thanks