I want the Web site users to enter their proprietary information via the usual form-based interface, and then I want to save that information in the SQL database in a safely encrypted form (so that I can decrypt it, if needed).
What publicly available tools would you suggest I use for encrypting the data, so that the data would be safe, even if both the database AND the Web site are hacked? Also at what point should I encrypt the data? In SQL? In ASP?
All of that is certainly possible if you store the authentication information using one-way hashes. Microsoft has a good article about doing that in .NET (I hope you're using ASP.NET and not ASP 3.0).
Of course, if someone hacks your ASP box, they could replace your login mechanism with their own and collect the usernames and passwords that are submitted from that point forward. Also, one-way hashes aren't foolproof, and may be compromised using brute-force attacks. Once your box is hacked, it's not yours anymore. It depends on what the site is used for. If you're with the government, you're likely to attract the attention of very sophisticated hackers. If you run a small Web site, most of your attacks will come from worms and viruses, with an occasional script-kiddie. Even the simplest encryption will be more than enough to keep these simpler attackers from misusing the stored credentials.
This was first published in December 2002