oss-sec mailing list archives
Re: Source of bad password hashing practices? MySQL manual...
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 09 Oct 2013 18:53:26 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/09/2013 03:16 PM, Chris Palmer wrote:
There is more bad advice on that page: """ ...Even passwords like“xfish98” are very bad. Much better is “duag98” which contains the same word “fish” but typed one key to the left on a standard QWERTY keyboard. ... """ And then a rather wacky assertion: """Invest in a firewall. This protects you from at least 50% of all types of exploits in any software. Put MySQL behind the firewall or in a demilitarized zone (DMZ).""" Ideally, someone (Seth Arnold started; want to finish?) should rewrite all the bad stuff on that page, and send it to MySQL's security contact as a patch. I'd remove the password creation advice completely (other sources do a better job), and change the firewall thing to just say something along the lines of, "Avoid exposing MySQL to the internet... if you must, require authentication... if you must, use TLS or an SSH tunnel... If you use TLS, make sure the client correctly authenticates your server, such as by checking for a specific end-entity certificate/key or a specific issuer certificate/key...". Part of the rewrite should be some advice along the lines of, "MySQL offers a delightful built-in function you can use for storing passwords, SCRYPT(). Prefer SCRYPT to other mechanisms like MD5(), ENCRYPT(), or ... Please note that the ENCRYPT() function is not safe and has been deprecated as of... To verify passwords, check that SCRYPT(...) = scrypted_password in your WHERE clause... Do not log plaintext passwords..." And then give them a patch to implement SCRYPT and to log a deprecation warning when ENCRYPT is used. Easier said than done, of course; but I wanted to make the point that Rich was right to raise this issue here (or, at least, somewhere). Does anyone know the right MySQL security contact? It isn't immediately obvious from a few web searches, but maybe secalert_us () oracle com is right? Making that clear, and maybe publishing a PGP key, is another thing they could do...
One note, has anyone checked the MariaDB documentation, Percona and so on? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSVfqFAAoJEBYNRVNeJnmT2MIQAK6yvnjpE0cLdNIUxtQykrcT fLTmwRnljRaE5xSkui8Yn6qM6ycwL1rpqTK4lLrTpN2yf/jGyjMCj3G3Cm8TQOFJ rRb0wieIdTj9ZWWFTcnrX/wHJHp70tgBzD+TBun3paDT8DKP/BBuqbnWUJmFdKZI 2eeSpnprkBhkEWfJV9zWRfxBLbmqU7n6bKMf8xamejSs7N4vXNrFBQiXpXFOro/x L9xJXt8uqxU87DVLv4COVRuh3Q+WmVeo3avAdmVO6ShjqCpCb8YqDXaSt+Kx9nPd QpSyLMNko7/QMol4++6zvsob48sZcYIE5BNvBuTdkwvmwZjI5Q4mvd64LkFof2ko 2R5pmHwg7qHRa1THCacnokOs5GrQm7KDFSg4Lugibs4hDNbbk54tw8vo96GSGNqF 7GfL7WdW8gsiKII4TVBdcAySbSfzt9ro7iVtiHnagVm9eYUjDdg13hU/mkjATjgM SBJv0RdMVeTOlgxoKUk6gfRDs5aYbNHABMMLsL2Cj7a2lqMhzw2dyCJBkKNvzYBB nBPxHMtZ9tzGexFCgRWuXtGxhu+G2dOrurgOCoQqY5Y26gGcWcWJ4t2oLx+f1k1/ wq1Y8Jav6h754CUMgMWrWBXyaDzctgt5mbVg0Cyv0FeY88NtP9RZNFuSxLrGxlJl q86ofUJSABD0Mkh1lcve =n+C4 -----END PGP SIGNATURE-----
Current thread:
- Source of bad password hashing practices? MySQL manual... Rich Felker (Oct 08)
- Re: Source of bad password hashing practices? MySQL manual... gremlin (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... Alex Gaynor (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... Raphael Geissert (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... Seth Arnold (Oct 09)
- RE: Source of bad password hashing practices? MySQL manual... Christey, Steven M. (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... Chris Palmer (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... Kurt Seifried (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... Jeremy Stanley (Oct 09)
- RE: Source of bad password hashing practices? MySQL manual... Christey, Steven M. (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... gremlin (Oct 09)
- Re: Source of bad password hashing practices? MySQL manual... John Haxby (Nov 07)