Comments on: Storing Passwords (securly) in MySQL

By: Shiva Gopalakrishnan

Shiva Gopalakrishnan — Sat, 08 Mar 2008 07:00:52 +0000

I like the concept of salting. In fact I was thinking about it without knowing the term. I was looking at various articles on the web over this.

How about adding some pepper too? How about using multiple levels of salting and again the pattern of the elements salted is hashed and to make it even complex use the MD5hash of one of the salting elements.

As we increase the complexity of the passwords one of the things that is going to be of importance is the storage of the function which verifies the password.
If this is not secure which basically means, if you have a very insecure password for your website all this discussion is just a “moo point”…

By: Pythian Group Blog » Log Buffer #7: a Carnival of the Vanities for DBAs

Pythian Group Blog » Log Buffer #7: a Carnival of the Vanities for DBAs — Fri, 09 Mar 2007 21:30:03 +0000

[...] A survey of alternatives to the PASSWORD function for storing passwords in MySQL is up at Frank Mash’s blog. MySQL provides lots of flexibility here, as Frank shows, and on Ramblings, Stewart Smith expands on this. [...]

By: MacPlusG3

MacPlusG3 — Tue, 05 Dec 2006 11:55:12 +0000

If write access it’s a different story than if it’s just read access – or they get a dump of it – e.g. are able to copy the file from the file system.

Also, non-salted passwords are *really* easy to crack, so with just a copy of the data from the db (e.g. an exploit that lets you run a SELECT query on it) you can then get the full access of that user.

By: pamthree

pamthree — Tue, 05 Dec 2006 10:22:37 +0000

if any person has access to your db don’t you think password hashed or not is the least matter of concern.

By: Marcel Oelke

Marcel Oelke — Sun, 27 Aug 2006 21:02:28 +0000

Hi …

For a somehow big md5 database you may take a look at my project at http://md5.rednoize.com. Currently you can search in 5,482,473 md5 strings. E.g. you will find out the matching string for 0b73943118d782b789a9ed910b79e40e there ;)

marcel

By: Frank Mash

Frank Mash — Fri, 25 Aug 2006 21:04:34 +0000

Thanks for pointing that out Stewart as salting will make the SHA1 and MD5 passwords relatively “more secure”, however, I agree with Peter that in case the data is stolen, a unlikely but possibly event, the hash will be available to the hacker. Unless of course the salt isn’t stored with the data.

Frank

By: Sheeri Kritzer » Blog Archive » Real Password Security - My-ess-queue-ell vs. My-see-quell

Fri, 25 Aug 2006 19:35:55 +0000

[...] With recent posts by Frank Mash and Stewart Smith about password protecting, I am reminded of all the privacy vs. security arguments we have going on in the United States. Basically, I see a somewhat similar situation — how much privacy do folks give up for the sake of security is analogous to how much calculation, how many hoops to jump through, to ensure that data is secured properly. [...]

By: Peter Zaitsev

Peter Zaitsev — Fri, 25 Aug 2006 08:55:55 +0000

Stewart,

I think what you need to mention is what kind of attack are you trying to protect here. If someone has stolen your database they also have salt and this means it does not really help. If your API is exported and does not protect from trying to brute force the password it also does not help. It really only helps if you only got MD5s from your passwords.

This is if you’re trying to find password for _single_ account.

Now if you want to find password for _any_ account salting also helps, as you mention it but for this case you better not to lose your database.

If you have system with 100.000+ users it is likely going to take couple of passwords to find someone, especially if it is something like web service where people trend to use simple passwords.

This does not mean you should not use salting and other techniques of course :)