Storing other people's sensitive data

From Jonathan Gardner's Tech Wiki
Jump to: navigation, search

Abstract

Storing other people's sensitive data is hard. Sensitive data includes passwords, credit card numbers, and anything else you think people shouldn't see if they happened to obtain access to your most critical systems. The best way to store data like this is (a) don't store it, or (b) store it in a way that nobody can get at it without additional information.

Best Practices

Passwords

Passwords are a special case. See, we don't have to store the password. In fact, we shouldn't. What we should store is the cryptographic hash of the password. When the user types in the password, we can take the hash of that and pass it around rather than passing around the password itself.


The password plus a long, random, and unique salt is used for the hash.

http://www.aspheute.com/english/20040105.asp

http://en.wikipedia.org/wiki/Salt_%28cryptography%29


Password + salt => sha1
Password + salt => md5

Check that both match. Even if sha1 and md5 are compromised, the chances of the attacker finding a string that will give the same results in both is practically 0.

Update 2015: Computers are extremely fast nowadays. It's not hard to find ways to brute force attack even the above algorithm, which was fine 5 years ago. Nowadays, you have to use something like bcrypt which is a hashing algorithm that is designed to take a long time to compute. You may also want to look into other technologies, such as two-factor authentication. This requires that the user have the password AND they possess control of the user's phone number or email address.

There's no use putting any kind of secret in there. The password is already the secret.

Credit Card Numbers

In short, don't. You have to talk with the credit card company about doing this. Even if you get it right, there's still a huge danger.