A lot of systems in the last few weeks/months/50days got hacked and their information leaked in a plain text format.

I have a concept that I think could work to help further protect peoples information in the event that someone breached a database somewhere, and I believe it should be a common practice. However, I know that it is not.

For every record in a database that contains personal information, it would make sense to encrypt that data. So for example, their credit card number, or their email address, or their real address. The encryption key could be some combination of their username and password hash, combined with a date/time of registration, last login, last transaction, and/or some other secret pass phrase.

This way, every record in the database would be encrypted differently and it would be extremely tough to crack unless they had access to the files that decrypted the information - which should obviously not be hosted publicly (server screws up and loses PHP plugin for example - all the raw source code would display).

Of course, this does not protect against inside attacks. It never has done and never will do.

I'm going to try to do something like this on webtagr.com this week if I get the time. Which I won't.

Except... it is encrypted. The last link from lulzsec was all encrypted passwords. Sony was the only idiot storing stuff in plaintext(Seriously?)

Did they say how well the data was encrypted?

Sony's data? They might as well have had a big sign saying HACK ME plastered all over their back. No idea about other companies.

But once the hack was made, the data was available in plaintext right?

a) Are we mistaking hash for encrypt in places. They are different functions and have different usefulnesses in different places.

b) It doesn't matter how good something is encrypted. All good security should depend on the key being private and a good algorithm, even if if a database is leaked, without the correct key the data should be entirely useless.

These things are definitely not being confused, well, not by me anyway!

I'll put my idea in webtagr soon Si... soon as in... soon™. Basically next week but probably up to 2 weeks, maybe 3. It's real busy at real work It will make more sense when I put this idea in to a live system.

Only the sony one which had no encryption full stop. SEGA and the other sitest were only u/n and emails i believe(which to be honest, don't really need a massive encryption)