>>>>>>I am wondering if it is a good idea to encrypt user name and email address of users in User and Password Table? Of course, I encrypt password field entry. But I am not sure of what is a good practice with regards to User Name and Email Address columns. TIA for any input
>>>>
>>>>It depends on the ownership of the app and the relationship with the customer.
>>>>
>>>>If it's theirs, there's no indication to encrypt.
>>>>
>>>>If it's yours, then it depends on how things work at the customer.
>>>>
>>>>We've never encrypted usernames but I did have one customer where a bright spark in the IT Dept copied data out of our system and replicated some functionality to try to reduce maintenance fees. That's not allowed in contract, but who wants to sue a customer? Easier to create mechanisms that don't affect their use of the product but create barriers to this sort of behavior. It also makes it more difficult for the worst sort of competitor who will happily sneak a copy of your user table to create a localized demo of their competing product.
>>>>
>>>>If you do encrypt, the customer is entitled to a mechanism to retrieve business data if and when the relationship ends for whatever reason. Ideally this is spelled out in contract too. If you can't satisfy the customer in this respect, IMHO it would be wrong to encrypt.
>>>
>>>I am not at all concerned - with this application - that the customer will try to reduce fees or take away some business or whatever. In fact, I am not even concerned about security (it is fairly easy to bypass my encrypting schema by simply deleting all records in the Password table :)). It is that I wanted my application to "look" more professional in the eyes of a DBA or whoever might want to look into the application. So I am going with the approach of only encrypting the user password.
>>>
>>>Thank you.
>>
>>Even more professional if you were to hash the password - imo
>
>Can you see, by looking at an entry in a column, if the entry is encrypted with some cipher code or hash?
I was just pulling your leg - but to answer the question
(1) a hash is always the same length (eg md5 hash = 16 bytes or 32 hex chars)
(2) encryption without block cyphering (eg rc4) : the lengths will vary
(3) If you use block ciphering, the lengths will vary depending on the length of the password, but all lengths will be a multiple of the block
So, looking at the lengths of the encrypted passwords
- if the length is constant, it's likely to be a hash
- if the lengths are a multiple of something (not 1) it's likely to be a block cipher
- otherwise it's encrypted, but not with a block cipher
I case of passwords - since the lengths are small - it's difficult to distinguish between hash and block cipher
see
http://en.wikipedia.org/wiki/Block_cipherhttp://en.wikipedia.org/wiki/Cryptographic_hash_functionPost your encrypted passwords and let me guess
Gregory
