Townsend Security Data Privacy Blog

How to Protect Databases that Contain Email Addresses and Passwords

Posted by Patrick Townsend on Jul 16, 2012 8:38:00 AM

Download Trial: NIST-Certified AES Encryption

NIST AES encryption

Download a free 30-day trial of our popular NIST-certified AES encryption for all enterprise platforms.

Download Evaluation Now

The recent email and password breaches at LinkedIn and Yahoo have exposed how severe the loss of this information can be.  A large majority of people use the same email account and the same password to authenticate to multiple web sites and services. For this reason, the breach of any one site compromises the security of the others.  And the fact that Facebook, Google, and other sites make it easy to share authentication makes the impact of a loss that much greater.

Because of these losses, I’ve been getting a lot of questions from CIOs and database administrators about protecting email addresses and email passwords in their databases. While the techniques used to protect information in databases are different than the techniques used to protect login credentials, you should definitely put this type of information under data protection controls.

Here are some steps you can take to protect this important personally identifiable information in your databases:

  • Be sure to encrypt BOTH the email address and the password.  I often find that companies only encrypt the password. It turns out that end users frequently use weak passwords and they are easy to guess. Even if the password is protected using strong encryption, the password can often be discovered through a dictionary attack. So encrypt BOTH the email address and the password.
  • Don’t decrypt an email address and password if you don’t need to. I’ve noticed that many applications automatically decrypt a password when a row is read from a database even if it is not needed. This just creates an unnecessary exposure point.
  • Use strong, industry standard encryption methods to protect the email address and password. I recommend using 256-bit AES encryption which is the most widely accepted standard for protecting data at rest.  Never use home grown or non-standard encryption.
  • Use good key management practices. Store the encryption keys on a key server HSM designed for this purpose. Storing the encryption key on the same server is like taping your house key to your front door when you leave in the morning.
  • Store passwords on a key server HSM and not in the local database. Many key server HSMs provide the option to import raw information like passwords to the key server, and then retrieve them only when needed.
  • Most important! Don’t be discouraged about the effort required to implement good encryption and key management. I’ve seen security efforts defeated before they begin because companies think that the effort will be too complex and too expensive. It’s probably easier than you might think.

Database vendors like Microsoft, IBM, Oracle, and others have done a lot over the last few years to make this effort easier. And security vendors (we are one) have also made progress in making encryption and key management faster and more affordable. Encryption is widely viewed as hard to do and expensive. That’s no longer true - times have changed!  Download a free 30-day evaluation of our NIST-certified AES encryption and see how easy it is to encrypt usernames, passwords, and other PII on your systems.

Patrick

Click me

Topics: Encryption, Data Privacy, Encryption Key Management