How data saved using a smart contract is stored in the Ethereum blockchain

Question

I am interested in how data from smart contracts is stored in the Ethereum blockchain. For example, I have this structure, which also stores the user's password

    struct UserInfo {
        string password;
        uint256 blockTime;
        address userAddress;
    }

which is stored in private mapping mapping(address => UserInfo) private users;

I also have a function that returns the password if the user is in this mapping

    function getPass() public view returns (string memory){
        require(users[msg.sender].userAddress == msg.sender, "User does not exist");

        return users[msg.sender].password;
    }

It is clear that if some user wants to get the password of another user through this smart contract, he will not be able to do this, since he will not pass this check require(users[msg.sender].userAddress == msg.sender, "User does not exist");. But what if the user installs a full node and, accordingly, has a whole blockchain locally, will he then be able to somehow read the data that the smart contract saves?

I looked for this in the solidity documentation but didn’t find it, so I asked chatgpt, he said that “the blockchain is a distributed database, and all data stored in the blockchain is available to all participants in the network. A user who has access to a full node synchronized with the network , will be able to view all data, including the status of all smart contracts located in the blockchain." It turns out that it is impossible to save confidential data in this way on the blockchain(

Answer 1

You are right. It is generally not safe to store sensitive information directly on the ETH blockchain or any other public blockchain. Because of the transparency of blockchain technology, all data is visible to everyone who has access to the full node. Your smart contract logic prevents unauthorized access to some data via access controls such as the one you have implemented, but the actual data is still visible. For example, even if a user does not have access to another user’s password through the ‘getPass’ function due to access control checks, they can still inspect the blockchain’s state and see stored passwords directly without having to interact with the smart contract. To prevent this, encrypting sensitive data before storing it on a blockchain is a good idea. However, with encryption comes the risk of security implications and vulnerabilities.