Re: Source of bad password hashing practices? MySQL manual...

[gremlin () gremlin ru]

On 08-Oct-2013 19:57:52 -0400, Rich Felker wrote:

> It's come to my attention recently that the MySQL reference
> manual is recommending very poor password hashing practices
> as part of its security guidelines:
> "Do not store cleartext passwords in your database.

This is primary and undoubtedly correct recommendation.

> If your computer becomes compromised, the intruder can take
> the full list of passwords and use them.

True.

> Instead, use SHA2(), SHA1(), MD5(), or some other one-way
> hashing function and store the hash value."

Well, hashing functions may be reverted using rainbow tables, but
even this simple recommendation pushes web developers to think
about their sites' security.

> (http://dev.mysql.com/doc/refman/5.7/en/security-guidelines.html)

This document is destined for people who never cared of security,
so I'd suggest only one addition:

"To prevent password recovery using the rainbow tables, don't use
these functions on a plain password; instead, choose some string
to be used as a salt, and use hash(hash(password)+salt) values."

> With MySQL being one of the major traditional "LAMP stack"
> components, I wonder if this is the source from which many
> web developers are getting their ideas on how to do password
> hashing. What is the proper procedure for publicizing
> documentation bugs like this which are leading to poor
> security practice, and for getting them fixed?

This is not a bug, this is incompleteness. Minor one, I'd say...


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Attachment: _bin
Description: