When you deal with account info, how secure should each data item be?
I’m going to do three categories and list items under them, please tell me if I’m right/wrong:
Encrypt:
password
Encode:
email,
address,
paypal,
secret_answer,
Leave as is:
everything else
Django encrypts the password automatically, or is this hashing? What’s the difference between hashing and encrypting?
I know encoding doesn’t add security, but it’s better than a hacker just looking at the info right? Like if the hacker does bother with decoding the info, does the time bought to inform the users of the breach outweigh the bother of encoding the info?
If I use hashlib.sha1, is sha1(sh1+sha1) safe enough?
encode doesn’t add any security.
Encrypt password is never good, you’re never free of lossing the key or something like that.
You should Hash the password using salt (just search some questions about it in stackoverflow and you’ll find good points about it).
Email, address: maybe encrypt, depends if you want it to be searchable inside your database
Paypal: what do you mean with it? just an email for login? encrypt.
secret_answer is just like a password, so use the same approach.
Edit: encoding, obfuscation, saving the string backwards, using ROT-3 cryptography is even worst than using none: with none you know you don’t have security, with this silly “protections” you’ll fool yourself that you have security, and will relax on other securities.