For years I’ve complained to coworker and “bosses” that encrypting data in a web app was foolish. If the key had to be available at run time the same access that granted a hacker acces gave her the key to the data as well. A one way hash of constant data is really no better and adding salts doesn’t actually increase security since, like keys, they’re available at runtime. Now I’ve got a club now hopefully this article by Bruce Schneier will allow me to drive a nail into the coffin of such schemes. Of course the reality is that none of those who’ve suggested these schemes will be deterred, as they know more than anyone else does anyway.
Yay! Bruce Schneier validates me … impersonally