Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
AntonKiya2021-01-28 21:40:03
Node.js
AntonKiya, 2021-01-28 21:40:03

How to protect data in a database?

Hello everyone, when writing a script, there is a task to make sure that if attackers get our script or database, they cannot get logins / passwords from there.
So it’s clear with the database, there are a bunch of libraries for encoding information in the database, and for decoding the key is used, which I usually kept in the config file. It turns out that if someone receives the script, they will also receive this key and be able to decode the data from the database. Question: how and where to store this key then, or what else can be used instead of these libraries, what other options are there? Thanks in advance.
ps usually used the bcrypt library

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
E
Evgeny Samsonov, 2021-01-28
@AntonKiya

Store in the database not an encrypted password, but a hashed one using a one-way hash function. Then the attacker, having received all the data, will not be able to recover the password from the hash. This will only be possible by brute force, which can take a significant amount of time for each hash
> It turns out that if someone receives the script, they will also receive this key and be able to decode the data from the database
. A one-way algorithm does not have a key to decode. There is usually a salt to prevent iterating over the rainbow table. But salt does nothing to help an attacker get passwords. The bcrypt you specified is just a one-way hashing algorithm, and most likely you mean the salt by the key

Report
V
Vasily Bannikov, 2021-01-28
@vabka

Don't release the database to the internet and there won't be any problems.
Well, passwords everywhere should be complex.
And you can't store passwords in code - keep them in a secure vault that only trusted employees have access to.
Encrypting data in the database is an extreme measure, and not the most effective, and even harmful.

Report
A
Alex, 2021-12-05
@asilonos

To do this, you need to slightly change the protocol for processing customer data.
To eventually come to end-to-end encryption on clients. This is quite difficult to explain on the fingers in a nutshell -
here it is roughly described how it works in practice -
https://staffcounter.net/en/introducing-p2p-encryp...
also read how it is done in mega.nz

Similar questions
K
krotish2015-06-22 10:28:55
How to compile chan_dongle under Tomato by Shibby (optware, Cross compilation)? 2Reply
B
BonBon Slick2017-06-11 18:13:14
Bootstrap 4, disable past dates for input type date? 2Reply
S
Sergey Beloventsev2016-09-01 20:56:37
Why does this error occur with sockets? 1Reply
A
Artem Gvozdev2022-03-24 01:56:48
How to split a project into separate files? 0Reply
P
prolina2020-11-07 22:12:57
Is the value from .env undefined? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question