Passwort encryption on Mysql server

[prorobot]

Hello guys!
I am working on a app that requires a login system and i got everything done with the passwort not
encrypted. I know it is a no-go to put unencryted passwords in a mysql database, so i wanted to hear your
solutions to this problem. How is it possible to hash the passwort and store it correctly?

regards, jakob

[teriibi]

(same encrypting needs soon...)
Have you followed any of these examples so far ?
http://livecode.wikia.com/wiki/Encrypt

with what results

[ghettocottage]

Are you accessing the MySQL database directly, or going through a middleware such as Livecode Server or PHP?

Someone just posted a nice looking middleware example for MySQL based on Livecode Server that includes authentication:
http://forums.livecode.com/viewtopic.ph ... 35#p163035

I have not tried it yet, so I cannot speak to how well it is set up, but it might at least be a starting place.

[MaxV]

Unencrypted passwords are not safe if someone get access to administrator privileges, because he would read all passwords and he could act as other users, creating a lot of problems.
If you store password encrypted, an administrator can't act as another user, because he reads only crypted password and can't know the real passwords.

However MySQL passwords are stored in the user table of the mysql database and are encrypted using it's own algorithm.

If you stored other strings as password for other purposes, you can use also the one the mysql crypt functions: https://dev.mysql.com/doc/refman/5.5/en ... tions.html

[FourthWorld]

Encryption is not generally considered sufficient for passwords. Anything that can be encrypted can be decrypted. A good rule of thumb is that if you use any site that allows password recovery, stop using it. Passwords should be resettable, but unrecoverable,

With passwords we want a one-way hash, ideally a double hash, with salt.

Dr. Peter Brett, of the LC team at the time, offered up an example of salted double-hash here:
https://www.mail-archive.com/use-liveco ... 82876.html

Note that SHA1 is no longer state-of-the art, so sha1Digest should not be used in new code where cryptographic-quality hashing is needed. LC now offers the messageDigest function to replace the older hash functions, which allows arguments of SHA2 and even SHA3, both of which are considered acceptable today (though SHA3 will likely have more shelf life).

[teriibi]

Sorry if the question is dumb :

Im about to write script for both goal, encrypt URL params...+ encrypt PW in DBs.

Does Encrypting URL to protect parameters uses the same LC function as encripting Password or other datas.

If they are two distinct functions, than one would actaully use encryptions in script such as with a GET or POST requests twice, in the case of an included PW transfer.
... and even three times according to your Post !

[FourthWorld]

Rule #1 for appsec: don't roll your own security.

SSL solves this problem (though for other reasons I'd use POST rather than GET for sending data to the server). And with DNS under constant attack HTTPS is additionally valuable so your users can know they've arrived at the site they intended to.

SSL certs are free these days, thanks to the Let's Encrypt project:
https://letsencrypt.org/

[teriibi]

In fact I m already using Https...
But on top of this I was told to encrypt all url params for queries...

[FourthWorld]

In fact I m already using Https...
But on top of this I was told to encrypt all url params for queries...

Wouldn't hurt I suppose, but why GET over PUT for login?

[teriibi]

True, in fact I was refering to DB queries - once logged...and at the same time PW/USER encryption too

[FourthWorld]

One benefit of using POST instead of GET is that the query string sent with GET is recorded in the access logs, creating an additional security exposure when those strings contain secrets.

[teriibi]

Thanks so much,
I m really new - and selflearning - about this kind of Requests over the Web so thats valuable info to me !
!

[FourthWorld]

Writing software is hard enough, but writing client-server apps is super-hard because you not only need to think of all the ways a user might misuse the app, but how the bad guys might misuse your server.

I have a friend who's been in the business for decades but he's burning out from having to deal with all the security overhead. It's a much more dangerous online world than it was 20 years ago.

But it's all learnable if you're patient and eager to try new things. It helps if you also enjoy coffee.

What OS is your server running? And is it a shared host or VPS?


PS: Self-learning is the best learning. It's the only learning, really: whatever you learn in school is just a foundation, most interesting professions these days require life-long Self-learning anyway. It's a good habit to build.