Frequently Asked Questions

Insecure Cryptographic Storage

Print this Article
Last Updated: June 1, 2011 3:46 PM

Websites that need to store sensitive information, such as usernames, passwords or other personal details, must use strong encryption to secure the data. Insecure cryptographic storage means sensitive data isn't stored securely. If malicious users can access insecurely stored data, they can view it with little effort.

Strong, standard encryption algorithms, such as AES, SHA-256 or RSA Public Key Cryptography, help prevent this vulnerability by encrypting everything into an undecipherable format. The data can only be deciphered with the correct decryption key, which you should also store securely.

For example: An online store accepts credit cards and uses SSL to encrypt purchase information. The site stores order information in a database on the server with no encryption.

An attacker accesses the database and downloads all of the order information, viewable in a spreadsheet on their computer.

If your website stores sensitive information, avoid using encryption methods that have proven weaknesses. If your site accepts and stores credit card information, refer to the PCI Data Security Standard for guidelines.

To learn more about insecure cryptographic storage and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.