Systems and methods are disclosed for storing sensitive data in a
database, such as an application database or a dedicated application
security database or store. In accordance with one aspect of the
invention, user passwords are not directly stored in a database; but
instead, when a password is entered, a one-way hash of the password
phrase is produced for storage and/or comparison purposes. In accordance
with another aspect, individual authorized application users are each
aligned with their own version of an application-wide security key such
that it becomes unnecessary to directly store the key in its original
form. The security key is used to process sensitive data. In accordance
with another aspect, a user's version of the application-wide security
reflects an encryption-based relationship to the user's password. Various
embodiments also support flexible access to particular collections of
sensitive data based on user account and/or user role information.
