Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
Mikkkch2021-11-12 19:47:41
Information Security
Mikkkch, 2021-11-12 19:47:41

Is it safe to store verification codes in a database?

A system is needed in which actions such as registration, password reset, etc., are carried out thanks to six-digit digital codes that the user receives via SMS and e-mail.

I made a model in which the code itself is stored, the date when it will be expired and the user to whom this code is attached. The code is generated randomly, and accordingly it cannot be guaranteed to be unique, so a user is required.

Does the code need to be encrypted? Is it normal that it can be read in its pure form in the database?
Indeed, if the database is hacked, then even considering that all passwords are encrypted, there may be active password reset codes that can be used.

I have seen many solutions in which the code is kept in its pure form, and this moment confuses me.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
G
galaxy, 2021-11-12
@Mikkkch

Indeed, if the database is hacked, then even considering that all passwords are encrypted, there may be active password reset codes that can be used.

It's strange, taking off your head, crying through your hair. If your database has already been hacked, you can simply change the password for the user (and indeed, there is access to all data anyway).
Unless you're imagining some sort of half-ass hack... Well, then you can encrypt it with a password stored somewhere in the app's settings.

Report
T
TheAndrey7, 2021-11-12
@TheAndrey7

Considering the cracker's scenario will help answer your question.
Here he will get access to the database. What can he do with a one-time code? Maybe he won't need it at all, if he can get or prescribe a session of the desired user.
Are you not embarrassed by the use of an insecure SMS channel? Since you are already using it, it means that this data is not of great value. However, this is not credit card information.
If you do get hacked, cancel all sessions and codes, demand that all user passwords be replaced (if you use them at all).

Similar questions
I
Ivan2020-02-13 15:09:19
Determining the current Windows user from under a service running as another user with minimal privileges? 1Reply
M
MadWastefield2017-09-25 12:58:16
Are there free firewalls besides Comodo and the built-in one? 1Reply
S
Samarkand2017-10-01 02:57:56
Is it possible, knowing the data of the LiqPay module in Cms Opencart, to steal money from the card? 2Reply
I
Ilya Miroshnichenko2017-10-05 08:39:59
How to monitor certificate expiration dates? 1Reply
W
WorthToLive2020-02-23 03:41:02
How to implement a system for storing and using passwords? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question