Comments on: encrypted passwords in database

By: depesz

depesz — Mon, 28 Jun 2010 19:51:14 +0000

@need help:
it looks like crypt() with md5 algorithm, but with empty (or removed) salt.

By: need help

need help — Mon, 28 Jun 2010 19:38:26 +0000

someone can help me!!
use what encryption this one
$1$$YT09lUh5xTp9kWFx8G2bV0

can someone encrypt for me??

thanks before

By: kpy3

kpy3 — Fri, 18 Jun 2010 14:03:07 +0000

Oh! I’ve missed it, thanx.

By: depesz

depesz — Fri, 18 Jun 2010 12:55:36 +0000

@kpy3:
that’s because left is now keyword. just prefix variable names, and you’ll be good.

By: kpy3

kpy3 — Fri, 18 Jun 2010 12:31:09 +0000

This doesn’t work on PostgreSQL 9.0 beta 2, function password_beq fails with error
ERROR: syntax error at or near “,”
LINE 58: left_crypted := ( substr(left, 1, 3) = ‘$1$’ );
^

********** Error **********

ERROR: syntax error at or near “,”
SQL state: 42601
Character: 1404

By: Ian Harding

Ian Harding — Wed, 10 Dec 2008 17:34:58 +0000

I was thinking of backups. If I get your backups, I have everyone’s password. If the system doesn’t allow passing the hash to log in, I just have a bunch of hashes that I have to crack. THEN I have everyone’s password. But that takes a while.

On the other point, if I crack your web server, I have database privileges as the web user account. That should leave you only partially screwed since the web server connects as an unprivileged user. It takes a whole other level of kung-fu to get to super user from there. And it takes a while.

Anyway, not throwing rocks, this is an excellent intro to pgcrypto and custom operators. Thanks!

By: depesz

depesz — Tue, 09 Dec 2008 20:49:08 +0000

@Ian Harding:
Well yes and no.

To get hashes bad guy would have to have database privileges, and in this situation we’re screwed anyway. The point is that he/she will not be able to get the passwords to use them someplace else.

By: Ian Harding

Ian Harding — Tue, 09 Dec 2008 20:37:58 +0000

# select * from users where passwd = ‘$1$Im51jH1k$/9AOm/t.4BixxF7YzZ5hx0′;
id | username | passwd
—-+———-+————————————
1 | depesz | $1$Im51jH1k$/9AOm/t.4BixxF7YzZ5hx0
(1 row)

Doesn’t this negate the whole thing? I thought the purpose was to make the hashed values useless to a bad guy. This makes them identical in function to the real passwords.

By: </depesz> » Blog Archive » smtp + sql = more than it seems so (part 3)

Tue, 26 Feb 2008 08:54:50 +0000

[...] now we have it. let’s check previous post from my blog, about password [...]

By: Pythian Group Blog » Blog Archive » Log Buffer #70: a Carnival of the Vanities for DBAs

Fri, 09 Nov 2007 18:10:20 +0000

[...] with Postgres, on , Hubert Lubaczewski hosts and exploration and discussion of encrypted passwords in the database. He endorses letting Postgres itself handle password encryption with the pgcrypto module from the [...]

By: Jeff Davis

Jeff Davis — Thu, 08 Nov 2007 02:04:52 +0000

@depesz:

However, I would like to add that if there is a legal requirement that you not store plaintext passwords, be very careful that no SQL statements get logged, and that no monitoring scripts watch pg_stat_activity. Otherwise a password might get saved in plaintext in a log or notification.

By: Jeff Davis

Jeff Davis — Thu, 08 Nov 2007 02:02:48 +0000

@depesz:

Oh, I see. Makes sense, particularly the point about backups.

By: depesz

depesz — Wed, 07 Nov 2007 19:55:41 +0000

@Jeff Davis:
usually against “hacks”.
somebody hacks, gets dump of database.
somebody steals backups.
this kind of things.

of course hacker that will hack, get root access will be able to circumvent it, but it will take longer time, thus it makes the hack easier to be revealed.

also – sometimes password encryption/hashing in database is external requirement (think: business, local law, common practice)

By: Jeff Davis

Jeff Davis — Wed, 07 Nov 2007 19:05:47 +0000

@depesz

If you’re not protecting against the DBA, then why not just REVOKE and forget encryption all together?

If the goal is to avoid accidentally storing the plaintext password (as DBA), I showed two examples where it’s easy to accidentally store the password in plaintext if you’re the DBA.

By: depesz

depesz — Tue, 06 Nov 2007 20:02:14 +0000

@Jeff Davis:
actually i think that protecting “against” dba is futile anyway. dba can do whatever he want, so with some level of knowledge he can circumvent any kind of solution (as long as unencrypted/unhashed data shows to db server at least once).

By: Jeff Davis

Jeff Davis — Tue, 06 Nov 2007 19:55:12 +0000

If you use a trigger to encrypt the password, keep in mind that there are still many situations in which the password might be revealed to the DBA.

For instance:
* anything that causes the statement to be logged, such as log_min_duration_statement
* anyone who has access to pg_stat_activity. You might have monitoring scripts that show you some query worth looking at, and that query might end up being the one to insert the password.

And probably some other stuff. It is certainly worth considering to keep all encryption _outside_ of the database. You can’t keep information secure from the DBA if it’s encrypted by the database. And if not keeping it secure from the DBA, why not just revoke privileges from everyone else?

By: depesz

depesz — Tue, 06 Nov 2007 14:14:56 +0000

@Tzvetan Tzankov:
kind of. chkpass uses old algorithm, which has one very important drawback – handles correctly only password up to 8 characters long.
also – there are ready databases (web-accessible) which “decode” those password.

By: Tzvetan Tzankov

Tzvetan Tzankov — Tue, 06 Nov 2007 12:56:27 +0000

there is other contrib package chkpass, which does mostly the same thing

By: depesz

depesz — Tue, 06 Nov 2007 10:54:12 +0000

@Tom Davis:
hmm .. i wouldn’t use db-authen in any website scenario. 1.5 million users?!

@Andrew Hammond:
i really think md5 is sufficient for passwords. using sha* is good for cryptographically secure document signatures, but for password – i don’t see real need to use anything > md5.

@smk:
sure, you’re right.

@Ron:
take a look at trigger code – salt *is* random.
gen_salt() function generates random salt.

By: Ron

Ron — Tue, 06 Nov 2007 10:02:49 +0000

And for the paranoid, you should probably throw in a random salt, different for each user, to protect against table-lookups of the hashes , should they somehow be compromised.

By: smk

smk — Tue, 06 Nov 2007 08:46:21 +0000

Just one, minor issue: You are talking about hashing, not encryption. Encryption is reversible, hashing is not (which is the whole point of hashing).

By: Andrew Hammond

Andrew Hammond — Tue, 06 Nov 2007 00:38:18 +0000

Tom, I think you have a good approach there for small business solutions, sacrificing pooling simply isn’t acceptable for larger scale soltions. In those cases, it makes good sense to have a separate user for each application or administrator who’s going to be connecting to the database, and then do application level identification in a system such as depsez is discussing.

My worry about the solution discussed above is that it’s using md5 instead of the more robust / security-droid compliant sha512. Fortunately that’s easily fixed:

SELECT encode(digest(decode(TEXT ‘swordfish’, TEXT ‘escape’), TEXT ‘sha512′),
TEXT ‘base64′);

Or you can skip that outer layer of encoding and handle passwords as bytea. Annoyingly, this requires having built against openssl 0.9.8+.

By: Tom Davis

Tom Davis — Mon, 05 Nov 2007 17:16:47 +0000

The implication of using a table for storing user/password information is that you are bypassing the database authorization for something homegrown. There are two basic problems with this
1) Security: the application itself must be given authorization of the most powerful users, meaning that when someone compromises your application server (eg: apache) they have full access to your data.
2) Scalability: anyone wanting access to the data must either be given that same all powerful authorization, or additional authorization schemes must be implemented (say someone wants to use ODBC/JDBC to access the data for some reporting tool). And of course if you add new features to the application the old parts must be reviewed to ensure that the security model is not being compromised.

A solution which avoids these pitfalls is to use the database connection as the authorization function in your application. The downsize for that is that each user must use a separate connection which for HTTP means each GET/POST will create a new connection (connection pooling tends not to be useful as it is unlikely that a user will be serviced by the same process).

Nevertheless, in many cases, especially for intranet applications for small and medium sized offices, the performance hit is negligible and the improved security and data access is well worth using the database authorization system.