As for "we do not allow users to give us any of their sensitive information to store in the database" No, you generate some sensitive information, store it in plaintext and don't allow the user to change it. That's *worse*