Is this secure??

Anon

Hi people!

I have a mysql database that holds passwords in a Mysql table in a raw state (Not encrypted or anything). Can any1 tell me if this is a good idea? Is it hackable?? if so, how can i stop this?

Thanx

Jonathan

vsego

It is never a good idea to keep passwords in plaintext. If nothing worse - users can use some password that are used somewhere else (somewhere important) and YOU can read the database.

Also, anyone who can get your DB login/passwd (i.e. by reading your code) will see these.

Usually, you store password hash (md5($pass)) and, when checking user you check hashes:

if ($pass_from_db == md5($provided_pass))
...ok...
else
...bad passwd...

kikidonc

I didn't get it (partly because of my english level and partly because of my php one).

I'm new at it and did the same error he did (I didn't imagine a db could be vulnerable).

I don't really understand your sollution:
you propose to crypt the passwd in the db and then, when we wanna check them, to compare them with the crypted value of the passwd given by the user? Is that it? (hope you understood what I wrote :-) ).

Yes, should be fine.
But if a hacker can access our DB, he will also be able to decrypt the values (not as easily, but... still), won't he???.
Fred.

vsego

Exactly - you work with password hashes.

As for cracking - only brute force is available. You see, hash is irreversable function. This means that a cracker would have to try ALL possible passwords by encrypting them and comparing hashes.

What cracker might see in your code is that its md5() function. But, he would still have to test all values. If password is case-sensitive (226 letters) with digits (10 of them) and password is exactly 6 chars long (considered secure minimum - 8 is prefered), then you have (226+10)^6=42⁶ combinations (approx. 5.5 billions of combinations). Each of them must be encrypted and compared to hash.

Add some special chars (spaces, comas,... almost all of them...) and you get the picture.

kikidonc

OK, I'm with you on that point: It will give hackers a longer time to get through it.

I know nothing about crypting (as I told you, i'm not technical). But I guess A caracter give a single crypted caracter (or maybe a shortserial of caract.), doesn't it? So, the only thing you need, as a hacker, is to crypt each caracter once (26+10) and then to compare each of them to the crypted password... Mathematics are not always well interpreted: here possibilities are reduced a lot (maybe twice the same, or ???).

I'm sure, it doesn't take that long :-) to do it.

The thing I wondered was (and still is BTW): What is it possible to do to avoid hackers to see my db (mySQL in my case). Is it any conf file that could avoid that everybody who has username and password to access it (checking IP @, or HostID, or whatever... I don't know exactly what is it possible to do).

Otherwise, I could also change my username and password frequently, but it's not really what I'm looking for :-)

Sorry to be as suspicious, but I can't let any chance to get my data spoiled or even only seen.

Hope you understand,
Sincerely Yours,
Fred.

vsego

That is the feature of hashes: change one letter ("a" to "b" for example) and the whole hash will change. You cannot even determine the length of plaintext!
I don't know about such filtering in MySQL, but the question is: what info is proper for such authentication and still available to MySQL?

What you CAN do is this: make your script as CGI (written in PHP if it's compiled as CGI and not Apache mod). With 4600 (yes, 4 digits!) permissions (chmod in Unix/Linux). That way, CGI will be started by Apache as you started it yourself (that's what 4 is for). 6 means you can read it and write to it (change it). Others won't have access and will not be able to read login/passwd (that's 0 for group and 0 for others).

Your script can look like:

list.cgi:
#!/usr/bin/php
<?php
$readLogin = "login";
$readPass = "password";
include("./php_file_with_all_code.inc");
?>

That way, you'll make all the changes in file php_file_with_all_code.inc, but will keep login/passwd hidden.

Good luck!

kikidonc

Thanks a lot for your patience with me ;-), it's very nice!

The thing is that I know nothing yet about CGI. If I understood you well, my php code could be compiled as a CGI one, is that right? So, do I need special things to install on my computer to allow that(CGI compiler or ...)? Then, probably my apache conf. files to update.

I'm running apache on windows2000, sorry ;-), but I guess I can manage such permissions on it.

Thank you very much, once more, for your help.
Fred.

vsego

No problem, it's been a pleasure. :-)

CGIs don't get compiled. They're called as shell scripts (Unix counterpart of batch files on DOS/Win). That's what line "#!/usr/bin/php" is for: under Unixes it invokes interpreter (in this example /usr/bin/php).

Under Windows, I think it's enough to put "#!C:\Program Files\PHP\php.exe" (no quots). Remember, it has to be FIRST line with nothing before!

As for permissions, I don't know if Win2k supports additional value (4). You can set permissions for each user, but the point of using CGI and setting special permissions (4600, or maybe 4611 - I'm not sure) was that the script gets run under your name and not default web user (httpd, nobody,...). I suggest you to ask on this (or maybe "General Help" or "Windows Help") forum how can this be done in Win2k. Or switch to Linux server... :-)

I use Win2k as a development machine, but I always publish my sites on Linux and other Unix machines, so I don't really know how to do this in Win2k. Sorry.

kikidonc

I has been a plaisure for me too!

I'd like to develop on Unix but I know nothing about it yet... That's why I try to learn php first and then, when I'll have a bit more time, learn UNIX. We have both server, so it's just a question of time ;-)

I'm on Win2000 for tests and trainning for now... nothing professionnal yet.

I'm gonna have a look at microsoft forums.

Thank you very much and hope to hear from you later again.

Take care,
Fred.

vsego

If you find out how to do this on Win2k, please post it.

Thanx!