Is it useful to encrypt usernames stored in the database?

Question

Is it useful to encrypt usernames stored in the database?

The first and accepted answer to this question about password management suggests encrypting user identifiers in the database.

The good point is that if someone gets a password, he needs to know how to decrypt the user's login in order to get a full login / password pair.

Some disadvantages that I see, for example:

you need to decrypt user logins every time you want to display them.
If you want to do a login search to find users, you cannot just use LIKE '...%'
ORDER BY the login field can be quite complicated ...

What would you recommend (encrypt user IDs or not)?

+5

language-agnostic security database login database-design

Frosty z Nov 15 '11 at 16:29

source share

2 answers

Neville Kuyt · Answer 1 · 2011-11-15T19:23:58+0000

As usual, the answer is "it depends."

In general, I would say that if an attacker has access to your database, your security situation is so badly compromised that password encryption will most likely not help you. This is different from using a one-way hash - it is likely that an attacker who has access to your database also has access to your decryption key, while one-way hashes are, by definition, one way.

, , ( ); , , .

, , , , , .

, , .

rook · Answer 2 · 2011-11-15T19:05:09+0000

, . , CWE-257.

hash ? . . , , .

, . , , , , .

Is it useful to encrypt usernames stored in the database?

More articles: