I was recently involved in what turned out to be a security flame war about encryption and what fields to encrypt in a database.

To me my name, address, and phone number are just as important to me as my credit card number. I'm sure there are people out there who feel the same way. With the advent of programs like PHPMyAdmin managing more and more mySQL databases out there the chances of your personal information being exposed are increased. Imagine this... a dating website you're on stores every possible nook and cranny about you, your name, address, phone number, favorite activities, any blogging about yourself you've done. Then a vulnerability in PHPMyAdmin pops up and with ease people are cracking into the dating site's database, downloading the database to sell to the highest bidder. In reality google "/phpmyadmin/index.php" and run a dictionary attack against the top fortyresults. I'd bet you'd get into one or two.

Now what if your Name, Address, Phone were encrypted as are SS#'s and Credit Card numbers. Now that database is pretty useless to someone because its YOU that makes the data valuable. Your personal information is valuable enough for people to waste their time to steal it. They dont care that sdlfkj4909wuslkdjvnvslkj lives in Los Angeles, CA they want to know John Smith lives at 555 oak St in Los Angeles, CA

As far as performance goes, its a minor hit I'd imagine since you're only encrypting/decrypting data when a user is changing it which isn't very often for most applications. Its not the end all be all of security methods but to me its a nice extra layer and to me security is about layers.

Ready for More?

Follow Me @jimplush