Re: Source of bad password hashing practices? MySQL manual...

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2013 03:16 PM, Chris Palmer wrote:
> There is more bad advice on that page:
>
> """ ...Even passwords like“xfish98” are very bad. Much better is
> “duag98” which contains the same word “fish” but typed one key to
> the left on a standard QWERTY keyboard. ... """
>
> And then a rather wacky assertion:
>
> """Invest in a firewall. This protects you from at least 50% of
> all types of exploits in any software. Put MySQL behind the
> firewall or in a demilitarized zone (DMZ)."""
>
> Ideally, someone (Seth Arnold started; want to finish?) should
> rewrite all the bad stuff on that page, and send it to MySQL's
> security contact as a patch. I'd remove the password creation
> advice completely (other sources do a better job), and change the
> firewall thing to just say something along the lines of, "Avoid
> exposing MySQL to the internet... if you must, require
> authentication... if you must, use TLS or an SSH tunnel... If you
> use TLS, make sure the client correctly authenticates your server,
> such as by checking for a specific end-entity certificate/key or a
> specific issuer certificate/key...".
>
> Part of the rewrite should be some advice along the lines of,
> "MySQL offers a delightful built-in function you can use for
> storing passwords, SCRYPT(). Prefer SCRYPT to other mechanisms like
> MD5(), ENCRYPT(), or ... Please note that the ENCRYPT() function is
> not safe and has been deprecated as of... To verify passwords,
> check that SCRYPT(...) = scrypted_password in your WHERE clause...
> Do not log plaintext passwords..." And then give them a patch to
> implement SCRYPT and to log a deprecation warning when ENCRYPT is
> used.
>
> Easier said than done, of course; but I wanted to make the point
> that Rich was right to raise this issue here (or, at least,
> somewhere). Does anyone know the right MySQL security contact? It
> isn't immediately obvious from a few web searches, but maybe 
> secalert_us () oracle com is right? Making that clear, and maybe 
> publishing a PGP key, is another thing they could do...

One note, has anyone checked the MariaDB documentation, Percona and so on?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSVfqFAAoJEBYNRVNeJnmT2MIQAK6yvnjpE0cLdNIUxtQykrcT
fLTmwRnljRaE5xSkui8Yn6qM6ycwL1rpqTK4lLrTpN2yf/jGyjMCj3G3Cm8TQOFJ
rRb0wieIdTj9ZWWFTcnrX/wHJHp70tgBzD+TBun3paDT8DKP/BBuqbnWUJmFdKZI
2eeSpnprkBhkEWfJV9zWRfxBLbmqU7n6bKMf8xamejSs7N4vXNrFBQiXpXFOro/x
L9xJXt8uqxU87DVLv4COVRuh3Q+WmVeo3avAdmVO6ShjqCpCb8YqDXaSt+Kx9nPd
QpSyLMNko7/QMol4++6zvsob48sZcYIE5BNvBuTdkwvmwZjI5Q4mvd64LkFof2ko
2R5pmHwg7qHRa1THCacnokOs5GrQm7KDFSg4Lugibs4hDNbbk54tw8vo96GSGNqF
7GfL7WdW8gsiKII4TVBdcAySbSfzt9ro7iVtiHnagVm9eYUjDdg13hU/mkjATjgM
SBJv0RdMVeTOlgxoKUk6gfRDs5aYbNHABMMLsL2Cj7a2lqMhzw2dyCJBkKNvzYBB
nBPxHMtZ9tzGexFCgRWuXtGxhu+G2dOrurgOCoQqY5Y26gGcWcWJ4t2oLx+f1k1/
wq1Y8Jav6h754CUMgMWrWBXyaDzctgt5mbVg0Cyv0FeY88NtP9RZNFuSxLrGxlJl
q86ofUJSABD0Mkh1lcve
=n+C4
-----END PGP SIGNATURE-----