While symmetric encryption algorithms can be quite secure, 2 problems remain. XOR is not a valid method for securing anything. The CEO was somewhat startled when it took me 10 minutes to write a quick program to “decrypt” every password in their database in less than 2 seconds. Over 3 million lines of C++ code it took to build their software yet passwords were encrypted using a simple XOR encryption routine. I had a client once (who shall remain anonymous) who wrote accounting software. What happens when you make a backup of the database and that backup is stored someplace less secure? What happens if the backup is stored someplace super secure, but is transmitted to that location of an insecure medium? In short, there is no excuse for not securing passwords. Sure, sure – the password is stored in a super secure SQL Server database that only sysadmins have access to – it is impenetrable and so there is no reason to use anything but plaintext. Storing passwords in plaintext allows anyone who happens to get a hold of the password the opportunity to read it. Symmetric encryption algorithms (AES, DES, 3DES, etc.)Īll of these methods are deeply flawed: Plaintext. In my travels, I have come across many methods for storing passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |