Presently, I am using SHA-256 to store passwords in the table and further protecting the MDB file itself with MD5 hash to check the integrity of the file. This MD5 hash value is checked each time the application starts.
I have three questions:
(1) What is better, storing hashed or encrypted values in the database?
(2) When my application starts, a decrypted or encrypted password is stored in public variables, depending upon the situation. To secure the data, I immediately change the value of these variables to "", as soon as the job of these variable is over. Is this the way the hash or encrypted values are destroyed from memory?
(3) Please suggest some good links discussing security of databases.
In response to your first question, it depends on what problem you are trying to solve.
Hashes are fancy checksums. It's hard for them to be faked by accident or on purpose. However, if you are worried about someone unauthorized modifying the database, they could in theory change the data and the hash. You need to examine how hard that would be. If you stored the data and hashes in a distributed fashion, it might be harder for someone to change the database undetectably.
Hashes of that sort work best in a situation like a library of hashes of important files -- like the system files of your Windows system -- so you could check them by some process.
If instead, you want to stop unauthorized reading of the database, then encryption is the only answer.
The answer to your second question is typically, yes, the buffer containing the passphrases or keys or other sensitive data gets cleared as soon as it is used.
I don't know what language you're programming in, but it sounds like it's something like a scripting language. In such a case, you need to be sure that when you put "" into the variable that the variable is actually cleared, not merely deallocated. I'll bet you it's not.
And finally, here are a few resources on database security:
- Is database security an oxymoron
- NCipher Database Encryption Resources
- Information Week Resources
- SANS Resources
For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: Top 10 database security headaches
Best Web Links: Database security
Infosec Know IT All Daily Trivia: Database security
Featured Topic: Database security
This was first published in February 2003