isladogs
MVP / VIP
- Local time
- Today, 02:17
- Joined
- Jan 14, 2017
- Messages
- 18,580
I don't know the legal requirements with regard to credit card info but I believe there has to be physical separation between client personal details and credit card info. In other words, never stored in the same database.
Similarly I wouldn't recommend storing user passwords in a database. Where clients state it has to be done, I encrypt that information using an RC4 cipher and then separately encrypt the entire datafile
With regard to both examples you gave I definitely wouldn't use Access for this information but not just for security reasons. SQL Server or similar will provide both additional security but also increased stability and scalability.
However, where Access is suitable in terms of stability and scalability, there is no question in my mind. Both MDB and MDE files are completely insecure. The passwords can be hacked easily and even without doing that, the files can be read using a text editor.
Encrypted ACCDB/ACCDE files are significantly more secure. Using a text editor reveals nothing. Passwords are very difficult to hack and can only be done using brute force. If a strong password is used that will take many hours and possibly more than a day. Will any hacker have access to the file for that long or think its worth the time and effort?
So if your data is in your opinion suited for storage in Access but contains anything remotely private/confidential, I would definitely advise converting to encrypted ACCDB/ACCDE or SQL Server
Similarly I wouldn't recommend storing user passwords in a database. Where clients state it has to be done, I encrypt that information using an RC4 cipher and then separately encrypt the entire datafile
With regard to both examples you gave I definitely wouldn't use Access for this information but not just for security reasons. SQL Server or similar will provide both additional security but also increased stability and scalability.
However, where Access is suitable in terms of stability and scalability, there is no question in my mind. Both MDB and MDE files are completely insecure. The passwords can be hacked easily and even without doing that, the files can be read using a text editor.
Encrypted ACCDB/ACCDE files are significantly more secure. Using a text editor reveals nothing. Passwords are very difficult to hack and can only be done using brute force. If a strong password is used that will take many hours and possibly more than a day. Will any hacker have access to the file for that long or think its worth the time and effort?
So if your data is in your opinion suited for storage in Access but contains anything remotely private/confidential, I would definitely advise converting to encrypted ACCDB/ACCDE or SQL Server