Problem solve Get help with specific problems with your technologies, process and projects.

Encryption and database security

In my application, I have an MS Access MDB file which stores all the user data.

Presently, I am using SHA-256 to store passwords in the table and further protecting the MDB file itself with MD5 hash to check the integrity of the file. This MD5 hash value is checked each time the application starts.

I have three questions:

(1) What is better, storing hashed or encrypted values in the database?

(2) When my application starts, a decrypted or encrypted password is stored in public variables, depending upon the situation. To secure the data, I immediately change the value of these variables to "", as soon as the job of these variable is over. Is this the way the hash or encrypted values are destroyed from memory?

(3) Please suggest some good links discussing security of databases.

In response to your first question, it depends on what problem you are trying to solve.

Hashes are fancy checksums. It's hard for them to be faked by accident or on purpose. However, if you are worried about someone unauthorized modifying the database, they could in theory change the data and the hash. You need to examine how hard that would be. If you stored the data and hashes in a distributed fashion, it might be harder for someone to change the database undetectably.

Hashes of that sort work best in a situation like a library of hashes of important files -- like the system files of your Windows system -- so you could check them by some process.

If instead, you want to stop unauthorized reading of the database, then encryption is the only answer.

The answer to your second question is typically, yes, the buffer containing the passphrases or keys or other sensitive data gets cleared as soon as it is used.

I don't know what language you're programming in, but it sounds like it's something like a scripting language. In such a case, you need to be sure that when you put "" into the variable that the variable is actually cleared, not merely deallocated. I'll bet you it's not.

And finally, here are a few resources on database security:

For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: Top 10 database security headaches
Best Web Links: Database security
Infosec Know IT All Daily Trivia: Database security
Featured Topic: Database security

This was last published in February 2003

Dig Deeper on Database Security Management-Enterprise Data Protection

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.