I’m surprised by how many developers aren’t familiar with encryption. Many say to me that encryption is md5 and sha1.
Applications often need one-way encryption and two-way encryption. There are also public/private key encryption schemes like pgp which are not as commonly used in web applications.
When using encryption to keep data secure, there are many considerations.
One-Way Encryption Suggestions
- Use a salt string to add more variety
- Store the salt string in a safe place where web surfers can’t see it
- Don’t send the salt string across the network (e.g. don’t store it in a database)
Two-Way Encryption Suggestions
- Use a strong algorithm such as AES (not Triple DES or Blowfish)
- Store the key in a safe place where web surfers can’t see it
- Don’t send the key across the network (e.g. don’t store it in a database)
- Don’t decrypt data then send it across the network (e.g. encrypt/decrypt in MySQL)
- Keep it simple by storing the iv padder with the encrypted string and keeping the encrypted string in base 64
- Pretend that the information you store is your own; would you be uncomfortable if a hacker saw it? Always encrypt information like social security numbers, credit card numbers other account numbers. Consider encrypting personal data such as name, phone and address.