Nowadays, information is crucial. Thanks to its possession, we can earn money, for example by investing capital at the right time. We can help another person knowing that they need it. Unfortunately, there are people who want to use information for bad purposes – against someone, stealing it, e.g. blackmailing companies by making their customers’ personal data public. How to run projects to avoid such situations and protect your business against them?
The basic aspect that would like to be mentioned is that in the 21st century all companies know, are aware and use this solution is password hashing. The main advantage of this practice, which transforms the password into a unique form using a hashing algorithm, is irreversibility. Some people who are not familiar with these issues may wonder how to check whether the password is correct when trying to log in? The answer is simple. Create a hash from the password provided during the login attempt, and then compare the hashes. Thanks to this, we do not store the real password in the database and in the event of a hacker attack and stealing the database, attackers will not be able to read the user’s password and try to log in with the same password to other systems
Well, what if we also want to avoid a situation in which a hacker is able to steal user data, such as name, surname, email address? Are we powerless against such a threat? Well, no. In addition to hashing our users’ passwords, we can also try to encrypt sensitive data in our systems. What does this mean in practice? Instead of storing sensitive data in a database, we can use an encryption algorithm that transforms the data into a reversible form, using the secret as the key. This imposes certain limitations on us, because we are not able to easily filter encrypted data, but we can load it into the application’s memory and from there perform various types of filtering, projection or pagination of our data. This will make working with the data more difficult, but it will make them safe, which is very important.
Data encryption and hashing are, of course, not the only forms of data security, because production systems should use security measures at the computer network level, e.g. by allowing traffic only from a specific IP address to the database. It is worth using more than one security measure so that in the event of an emergency, when one mechanism fails, another will continue to protect the data.
Maciej Cebula
