RE: Security - It Doesn't Seem Possible?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

There are differing levels of compromise on a system. Hackers gaining access
to your code or your database do not necessarily have both. Total system
security failures are anomolies and not the norm.

I prefer one-way hashes for very secure sites. But, security is a two way
street. There are times that you have to loosen a bit to compromise with
other aspects of programming.

It is a constant battle against hackers and you slowly, but surely, add a
level of protection. The hacker is also working to gain access and find some
hole in the system.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

***************************
Think Outside the Box!
***************************


"Ian Evitable" wrote:

> Hello
>
> Im struggling with the concept of application security. At this point i dont
> see how it works nor how its possible in a shared web-hosting environment.
>
> If i require a user logon to access the site i need somewhere to store the
> user credentials say a database. So i encrypt them as they sit in the
> database. But if someone hacks the server and can download a copy of both
> the database and the application then they can easily use ILDasm to check
> out how to decrypt the encrypted database passwords because my application
> needs to do this in order to verify that a users login was correct.
>
> So basically why bother with internal application encryption at all if the
> whole system falls apart once someone can bypass the front gate (server). I
> just dont get it.
>
> If i use a one way hash then the password must become disposable as i cant
> un-hash it but rather only compare new input to the existing hash. So if
> thats the case then how come almost every site i have registered for is able
> to send me my password if i "forget it"..... inclusing my bank.
>
> Clearly they are using encrypt/decrypt model.... which goes back to why
> bother. One an attacker is through the front gate your done like a dogs
> dinner anyway.
>
> Thanks
> Ian
>
>
>
>
.

Relevant Pages

  • Re: Application security question
    ... you want to implement security. ... So you are protecting the database from direct querying and altering ... login credentials for the database from the application. ... Why encrypt the password? ...
    (comp.lang.java.programmer)
  • Re: SSN encryption
    ... >> We want to encrypt social security numbers in a database. ... address and SSN are always excluded. ... exposed if there were a breakdown in the other security precautions. ...
    (sci.crypt)
  • Re: Which is more secure RC2 or RC4 ?
    ... same database temporarily, until the order is approved manually and the ... obviously there are a LOT of security related issues that arise ... itself in order to decrypt the information, ... meaning if I encrypt the information using AES and a password driven ...
    (sci.crypt)
  • RE: protecting .NET assemblies from hackers
    ... try exposing a web service or a remote class.. ... So one thing to do here is use a code obfuscator to encrypt ... > edit data on basically every table in the database. ... >> other methods of security like domain authentication or using ssl. ...
    (microsoft.public.dotnet.general)
  • Re: setting a password on a button on the switchboard
    ... Could you send me the sample database for the fourth option (4. ... > Security in an Access database can probably be broken down into two big ... > points about being easier than User Level Security, ... > What type of data are you trying to protect? ...
    (microsoft.public.access.forms)