The very first &lifier recognized answer on this question about passwords management indicates to secure the consumer identifiers in DB.

The great point is when anybody will get your password, he needs to understand how to decrypt the consumer login to obtain the full login/password pair.

Some disadvantages I see, for instance:

  • you need to decrypt user logins any time you wish to display them
  • if you wish to perform a 'begins with' explore user login to locate customers, you can't simply employ LIKE '...%'
  • ORDER BY on login area might be very difficult too...

An amount you recommend (secure user identifiers or otherwise)?

File encryption is regarded as a smaller type of secret storage than message digest functions. Actually, storing an encoded password is really a obvious breach of CWE-257.

Why not hash the username? Once the login the applying may have the plain text. Based on the application, you will possibly not have to display a listing of customers. this is an additional layer of security, as both hashes need to be damaged prior to the attacker can login.

That being stated, for those who have an ordinary text listing of every username it will likely be trivial to carry out a dictionary attack against any retrieved hash. Additionally user names aren't produced to become hard to guess, frequently occasions customers choose wacky names of wild birds or silly games like chess to ensure that they are simple to remember.

As always, the reply is "it is dependent".

Generally, I'd state that if the attacker can access your database, your security situation is really badly jeopardized that encrypting the passwords will probably would you no favours. This really is dissimilar to utilizing a one-way hash - the chances are an assailant who can access your database also can access your decryption key, whereas one-way hashes, obviously, is one way.

While you already say, it's likely that you'll want regular accessibility userIDs (esp. if you are using emails as user IDs) for the reason that situation, again, an assailant who are able to read your database likely can intercept the unencrypted data.

So, should you work with a bank, the federal government, or other place where data security needs to be towards the top from the list, this additional protection might be worthwhile, particularly if you possess a strong key management system.

For other uses, I'd think about the additional security they canrrrt merit the extra discomfort.