I think we also need to discuss various type of data encryptions available in MySQL
especially for storing data in the password columns
Encrypted or not - you should never store passwords in a database.
Structured Query Language is known as SQL, which helps in managing relational databases and allows to perform various operations on them.
@SAM, Care to provide more details around this? While I have read threads where others agree with this, I’m 100% certain that this happens anyway (I support a product that does this in various ways) and the engine behind this very forum does this as well.
Perhaps some suggestions of “what to do instead of” or “if you must, here are my thoughts” might prove helpful to the conversation and knowledge sharing.
Personally, I’m interested in this topic and would like to hear your thoughts.
Best regards.
I’m very sure Discourse doesn’t store passwords in its db…
Many users reuse the same credentials for various sites, applications etc so the potential impact of storing passwords in your database can be huge to your users if this data is stolen. If you encrypt the passwords the attacker will sooner or later be able to decrypt them. So instead of storing passwords you can store hashes of salted passwords using a hashing algorithm proven suitable for your purpose.
In the authentication process you then recalculate the hash from the given credentials and compare it to the hash in the db.
This way an attacker won’t be able to reconstruct the plain text passwords from the stolen data to use them on other accounts of your users elsewhere.
Of course this is a minimum scenario. If it would be worthwhile to spend considerable amounts of time and money to hack you or your users you should consider buying in some expertise.
Excellent reply- thank you for taking the time to do so. I wasn’t making the distinction between these methods when thinking of how the data is stored.
For additional clarity\correction, Discourse states: Discourse uses the PBKDF2 algorithm to encrypt salted passwords.
For anyone interested, here’s a pretty good article that discusses the differences between encryption, hashing and salting.