PDA

View Full Version : Storing passwords as plain text


whitedragon101
10-06-2010, 11:25 PM
I have a mysql database that allows a customer to view an order they have made. The usernames and passwords only allow a customer to view but not change anything.
At the moment the passwords are stored as plain text. I have seen many security articles saying this is bad and that should someone crack into your database they can steal all your passwords. My problem is I'm confused but it seems and correct me if I'm wrong (which is why I'm asking :) ):

If someone breaks into my database then the only use of a password is to log into the system and see a users information. However if they have access to the database they already have access to the users information.

It seems to me either every piece of data Name, Address, etc has to be stored in encrypted form as well as the password otherwise there is no point.

Then i thought, but wait.. The only way to break into the database is a direct attack (as I vet all input to prevent sql injection). Therefore someone who has broken into the server directly will also have access to the php code and therefore the encryption key. All data can now unencrypted and they have all the data again.

Basically:

1) Text passwords + Cracker gains access to database = user data stolen
2) Encrypted passwords + Cracker gains access to database = user data stolen
3) all fields encrypted + Cracker gains access to database by cracking server = Cracker therefore also has access to php files = Cracker has access to php un-encrypt code = user data stolen

It seems like this extra security is like padlocking your bike and leaving the key next to it. It looks secure but doesn't really make a difference.

Any thoughts?

edbr
10-07-2010, 01:13 AM
it is standard practice to encode using shal1 or md5, and as you say most if not all of the security gurus advise this at the very least espesially against brute force attacks. i dont see in as leaving the key next to the padlock at all. so my view point is why not do it?

edbr
10-12-2010, 09:06 AM
this post has been nagging at me a bit so how about this.
although md5 gives a much increased safety factor over plain text it could be de-crypted (although not easily). a further measure would be to salt, or add characters to your password, your password so i did a bit of digging and finally wrote this which could be adapted fairly easily.

after applying stripslashes and/or mysql_real_escape_string to your password string

ex.
$mypassword = mysql_real_escape_string($mypassword);

$salt = 's+(_a*';

// encrypt password
$new_mypassword=md5($mypassword.$salt);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$new_mypassword'";
$result=mysql_query($sql);

davidj
10-23-2010, 07:30 PM
also note that unless you are using SSL then your password would be visible over http. If anyone is listening to your site they will be able to see what your form is posting every time. This is the case even if you are encrypting the password for storage.

Also note that MD5 is one way encryption. It cant be cracked as there is no key to find. The only way to work out the encrypted string is to guess the original word. You can encode anything to an MD5 encryption string. Even War and Peace could be reduced to a 32 char length string!!

edbr
10-24-2010, 04:01 AM
Also note that MD5 is one way encryption. It cant be cracked as there is no key to find. have a look at this david http://md5.web-max.ca/

it isbased on dome kind of database but can decrypt some that i tried for instance 2ec0dfce896fa30233359748248dddec (http://tools.web-max.ca/encode_decode.php?string=2ec0dfce896fa302333597482 48dddec)

davidj
10-24-2010, 02:00 PM
it is a database of common words. They have ran through the MD5 algorythm mapping the word to the encrypted string and storing the pair. They did not crack it they just have a database of original/encrypted pairs. To protect yourself from these databases you just have to adopt a strong password format methodology using upper,lower case; Alpha, numerics enforcing complex passwords

edbr
10-25-2010, 01:19 AM
yes i suspect they are collecting when people use an encrypt online to feed the database. i first tried that example i gave and it could not decode, i then tried an online encrypt (another site) and then when i returned and tried it it could decode it, so also it would be a good idea not to encrypt using online 'services'