9

I am currently coding the backend of a website and I have not come across an article where this is discussed. I want to store all my application data in MongoDB but I'd like to split out my sensitive user information into a MySQL database. My rational is that the MySQL database will only be accessed for authentication but I'd like to store usernames and passwords in a datbase that is ACID. The added benefit is that the user's data is physically separated from the user entity itself, which I like.

My question is, is this necessary? Should I keep all my data in MongoDB?

MikeG
  • 193
  • 1
  • 3

1 Answers1

5

If you think the database engine you're planning to use isn't secure enough, then I wouldn't advise using it for anything. If it is secure enough, then the added complexity of two different database APIs will make your life harder, and not really affect an attacker (they'll just dump it to a file anyway).

If you want the data physically separate, you could put the password database on a separate machine from your other data.

If you correctly hash your passwords (PBKDF2, bcrypt or scrypt; high cost/iteration count), then your password database shouldn't be very useful to attackers anyway, except in the case of stupidly weak passwords.

Regarding ACID compliance: MongoDB does have atomic operations, it just doesn't have multi-document transactions, which presumably you don't need in a database that only has one collection.

Brendan Long
  • 2,898
  • 1
  • 19
  • 27