Should I be encrypting OpenID's in my database? - McMap

About

Should I be encrypting OpenID's in my database?

Asked 29/10, 2010 at 15:8 Answered 29/10, 2010 at 21:1

Solved encryption openid google-openid

S

1

7

I am storing OpenIDs into a database so I can log in users very quickly. Should I be encrypting them in my database?

An alternative question would be, are they considered 'sensitive' information?

Steato answered 29/10, 2010 at 15:8 Comment(0)

P

9

Contrary to another answer: No. There's no point in doing it.

To get access to an account, one must first authenticate with the OP. There is no method to somehow break into someone's account by simply knowing an identifier (and only that).

The OpenID protocol, by design, allows users to place their identifiers in very obvious places (like their homepage) with little additional risk. If identifiers were meant to be 'sensitive' information, it wouldn't be possible to delegate OpenIDs.

If the fact that your database has been compromised would imply that an attacker has access to all the identities, OpenID would be really, really insecure (and it isn't).

The OpenID identifier is only a url pointing at a provider. From this information, you can't infer anything more than who the user claims to be (and in case of directed identity, not even that).

You could ask yourself: "Should I be encrypting logins?" If your answer is true -- encrypt the identifiers, because they are no different. If it's false, then don't bother.

Pattani answered 29/10, 2010 at 21:1 Comment(4)

This should be marked as the correct answer. What I said in comments was incorrect, and your last line pretty much sums up the answer better than mine. I still think there may be problems with certain types of claimed identifiers however. I will work on it tonight. – Brophy 29/10, 2010 at 21:40

Urgh. Someone has posted an incorrect answer (no offence, @NickLarsen; i salute your comment above) - and it has been upvoted and accepted. This happens quite often, although rarely in such a clear-cut way. This is not a good thing. What can we do about this? Is there anything we can do about this? Has Stack Overflow jumped the shark? – Virile 29/10, 2010 at 22:35

I cannot delete it because it was accepted, but I was able to edit it. – Brophy 30/10, 2010 at 0:42

Of course, you might want your users to stay anonymous (or your users might want to stay anonymous) to any possible database crackers. If this is the case, you should encrypt. – Nelia 12/8, 2011 at 21:3

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.