Ashley Madison

With the Ashley Madison hack and the resulting chaos; I have been giving some thought that we need to encrypt more than just the member's password when operating certain types of sites.  If one was operating a site where it was important that the member's personal information is secured; and it does not have to be any sort of adult site either, a hack of my server and a dump of the database would expose the member's information.   

The password is hashed, not encrypted. It is one way meaning you cannot retrieve the original value.

So that will not work for the rest of the data as it will prevent it from being used or displayed on the profile page or anywhere else.

Standard encryption would work, but all the extra encrypting and decryption need every time the data is accessed would degrade site performance. And i predict it would be a big performance hit.

I do not believe it is necessary. I do not know of any website that does that either. Should not have been possible anyway. They must have had poor security, vulnerable server software, some hole of some kind on the server itself that allowed the hackers to get the database.

 Yes, I know the password is not stored, the hash is store, that was a slip on my part.

Evidently, Ashley Madison had enough information on their users in their database that it has really screwed a lot of people.  There is some responsibility on operators to keep such personal details secure, and there are court decisions to back this up.  Ashley Madison is likely to lose the lawsuit against them.  One member on this site has spoken of HIPPA regulations; which is along the same lines.  I think we need to drop the idea that Dolphin can run on a share server; I doubt if most sites running decent hardware would see that much of a performance hit for encrypting personal information.

 Maybe it is all the H-1B workers that are at fault, it seems that anyone can be hacked these days.  If someone can gain access to the federal employee database and basically cause millions of people to be forced to constantly worry about identity theft, I think the issue is very real.  Stolen data is worthless if you don't have the key to see it.

I usually use sucuri.net for securing my website its an external firewall and they can amend what ports are free all traffic goes through there system and you can even use cdn's like maxcdn or cloudflare. Also if anyone puts in a code on your website search that implements sql injection there ip is blocked. Another good feature is they double lock your admin folder, in the case of dolphin /administration folder. When someone enters it sucuri put up a mobile phone code password so nobody can access the administration folder without knowing the code which is sent to your phone first.

worth a look and they have never failed me.