Should I be encrypting OpenID's in my database?
https://stackoverflow.com/questions/4053134
-
27-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am storing OpenIDs into a database so I can log in users very quickly. Should I be encrypting them in my database?
An alternative question would be, are they considered 'sensitive' information?
Solution
Contrary to another answer: No. There's no point in doing it.
To get access to an account, one must first authenticate with the OP. There is no method to somehow break into someone's account by simply knowing an identifier (and only that).
The OpenID protocol, by design, allows users to place their identifiers in very obvious places (like their homepage) with little additional risk. If identifiers were meant to be 'sensitive' information, it wouldn't be possible to delegate OpenIDs.
If the fact that your database has been compromised would imply that an attacker has access to all the identities, OpenID would be really, really insecure (and it isn't).
The OpenID identifier is only a url pointing at a provider. From this information, you can't infer anything more than who the user claims to be (and in case of directed identity, not even that).
You could ask yourself: "Should I be encrypting logins?" If your answer is true -- encrypt the identifiers, because they are no different. If it's false, then don't bother.
