I
Ian Evitable
Hello
Im struggling with the concept of application security. At this point i dont
see how it works nor how its possible in a shared web-hosting environment.
If i require a user logon to access the site i need somewhere to store the
user credentials say a database. So i encrypt them as they sit in the
database. But if someone hacks the server and can download a copy of both
the database and the application then they can easily use ILDasm to check
out how to decrypt the encrypted database passwords because my application
needs to do this in order to verify that a users login was correct.
So basically why bother with internal application encryption at all if the
whole system falls apart once someone can bypass the front gate (server). I
just dont get it.
If i use a one way hash then the password must become disposable as i cant
un-hash it but rather only compare new input to the existing hash. So if
thats the case then how come almost every site i have registered for is able
to send me my password if i "forget it"..... inclusing my bank.
Clearly they are using encrypt/decrypt model.... which goes back to why
bother. One an attacker is through the front gate your done like a dogs
dinner anyway.
Thanks
Ian
Im struggling with the concept of application security. At this point i dont
see how it works nor how its possible in a shared web-hosting environment.
If i require a user logon to access the site i need somewhere to store the
user credentials say a database. So i encrypt them as they sit in the
database. But if someone hacks the server and can download a copy of both
the database and the application then they can easily use ILDasm to check
out how to decrypt the encrypted database passwords because my application
needs to do this in order to verify that a users login was correct.
So basically why bother with internal application encryption at all if the
whole system falls apart once someone can bypass the front gate (server). I
just dont get it.
If i use a one way hash then the password must become disposable as i cant
un-hash it but rather only compare new input to the existing hash. So if
thats the case then how come almost every site i have registered for is able
to send me my password if i "forget it"..... inclusing my bank.
Clearly they are using encrypt/decrypt model.... which goes back to why
bother. One an attacker is through the front gate your done like a dogs
dinner anyway.
Thanks
Ian