0

Let me first explain that I am a Coldfusion server side developer, and I have been dutifully encrypting login passwords for many years.

I recently started thinking more carefully about the point of hashing or encrypting passwords, using libraries such as bCrypt(). Hackers often use SQL Injection to obtain sensitive data like bank account details, NI Numbers & credit/debit card numbers. I very much doubt a hacker would be bothered to sell passwords, considering a single credit card number only sells for a relatively small amount nowadays.

So, my question is:

Is there actually any point in encrypting login passwords in the first place?

Charles Robertson
  • 1,760
  • 16
  • 21
  • 1
    Of course it's necessary. You owe it to your users that if your database is compromised their passwords cannot be used on other services to get access to them. – Artjom B. Oct 24 '15 at 18:54
  • But this assumes that users use the same passwords for other accounts. Hackers are not going to spend time logging in to other accounts. They will SQL inject until they find bank details directly within a database. – Charles Robertson Oct 24 '15 at 19:52
  • 1
    Actually, I'd argue that it is not a good idea to encrypt the passwords; encryption implies reversibility. What ___is___ a good idea is hashing them, repeatedly, with a big enough random salt (that you also record). The number of cycles of hashing can be quite large (as in, 1024 or more). There are a lot of other questions on the topic. See also [Encrypting/Hashing plain text password in database](https://stackoverflow.com/questions/287517 and [Difference between hashing a password and encrypting it](https://stackoverflow.com/questions/326699/) and those are just from the related questions. – Jonathan Leffler Oct 24 '15 at 20:05
  • I'm voting to close this question as off-topic because it is discussed at length on [security.se]: [What is a good analogy to explain to a layman why passwords should be hashed?](http://security.stackexchange.com/q/63392), [Why is password hashing considered so important?](http://security.stackexchange.com/q/41447), [Why should I hash passwords?](http://security.stackexchange.com/q/36833), [For what do I hash user passwords with PDKDF2 when the user...](http://security.stackexchange.com/q/18509) – Artjom B. Oct 24 '15 at 20:17
  • I actually use bCrypt, which cannot be decryted. It stores the salt within its hash using a machine time stamp: http://www.mindrot.org/projects/jBCrypt/ – Charles Robertson Oct 24 '15 at 20:24
  • @Artjom B your links seem to imply that a hacker is going steal passwords as a priority via an injection attack. My hypothesis is that a hacker is going to go straight for your credit card data. Why would a hacker want to spend time selling passwords or even worse, spend time logging into other accounts, on the off chance that one account out of many, might allow him access to financial data that he has already collected during his initial SQL injection. – Charles Robertson Oct 24 '15 at 20:34
  • @Artjom B I am just asking the question, because many times, as a developer, we are told to do this & that, because this is what someone smarter than ourselves has hypothesised. But I am beginning to question some of these practices. In a way, I am playing devil's advocate to see if anyone is actually prepared to put their 'head above the parapet'... – Charles Robertson Oct 24 '15 at 20:39
  • Artjom B. Have you ever carried out a SQL Injection? It seems the comments so far, have focused on the ethical, emotive and the legal aspect of the question. Please can you provide me with an answer that deals with the logical apect. – Charles Robertson Oct 25 '15 at 10:29

1 Answers1

0

YES! It is very important, what if your users share their password across multiple sites. Now the hacker has access to their bank account, email, etc. As a developer/programmer it is your ethical responsibility to provide your users with a safe and secure experience.

osekmedia
  • 633
  • 7
  • 14
  • If we take this example in isolation. Most hackers use SQL injection to access sensitive database values. Once successful, a hacker will not even bother looking at password data. Straight to credit card info, which must be encrypted, preferably with the salt in a separate database. – Charles Robertson Oct 24 '15 at 19:45
  • I doubt a hacker that has found your credit card details in a database is going to bother trying to log into other accounts, when the information he needs is already available. – Charles Robertson Oct 24 '15 at 19:49
  • 1
    You should try to protect your data any way possible. You should be protecting against injection attacks in your code and encrypting passwords and if you MUST store credit card info, you should have it encrypted and the key/salt should be isolated. You should be using a token vault service of some kind and following PCI as best as possible. You may want to review https://www.owasp.org/index.php/Main_Page also. – osekmedia Oct 24 '15 at 20:07
  • I absolutely agree that credit card data MUST be encrypted, and the salt stored separately. But I am still not convinced that encrypting login passwords has any real benefit. I will continue to encrypt passwords because the law says I must. A determined hacker using SQL injection only makes any real money out of selling credit/debit card data. – Charles Robertson Oct 24 '15 at 20:18
  • In fact, I never store customers credit card data anymore. It is just too risky. – Charles Robertson Oct 24 '15 at 20:20