We currently use CipherMode.CBC to encrypt user passwords. Fortify scan recommends we use CipherMode.CTR.
If we change that, what would happen to the existing encrypted passwords? Would they be decrypted correctly with the new mode when they were encrypted using a different one?
Any other issues we need to look out for?
Related
I know there was question like this million times, but I was unable to find answer that will fit my needs.
I'm building something like small internal password manager for my company, to store login data for various servers and so on.
When new user is registered, his password will be saved in database in salted/hashed version so no one can get access to it (and for that part I think it's all ok, correct me if I'm wrong).
But then, when user is logged in, he is able to add new server with it's login details.
Question is, how to store those.
Because, at some point, I have to present this login details to user in plain text (that is whole point of this application).
Best I could came up with is using some kind of symmetric encryption.
Idea is that app will crypt login details with symmetric encryption and save it in that way into database, and then when data is needed once again will extract data from database, decrypt it with same key and present to user (and key should be in source code of application?).
It could be asymmetric encryption but it's the same if public and private key are stored in same source code, then there is no any benefit of using it?
That doesn't seem too secure, but I can't think of anything better.
Is there any better way to do this, to store this login data?
If it's important to you, application will be in PHP and database is Oracle
I would just use symmetric encryption. The standard steps are:
Derive a symmetric key from a user-supplied password (e.g. PBKDF2 or scrypt)
Encrypt the data using AES-128-CBC or better with a good random IV
HMAC the result (e.g. HMAC_SHA256) or just use AES GCM mode
Store IV+ciphertext+MAC in the database.
This can all run in a browser these days (see crypto-js and aes-js). That way the server never gets to see the plaintext password (not sure if this is a requirement).
The MAC can also serve as a password hash, i.e. if the MAC validation fails, then it means the supplied password is incorrect.
I was thinking about this particular scenario .
Suppose I have a table named db_passwords,which stores the passwords for different databases. And now I am worried that anyone can view these passwords by writing a simple selection statement . At the same time I want to have the facility to connect to a particular database from a program .
I got to know that there are oracle encryption packages which encrypts a particular column , by the help of which I can encrypt a particular column of a table and the logging to a db is done by the help of a key .
But I couldn't draw a clear picture of what happens in such a scenario , like ,
for a particular line of a code meant to connect to a db as follow :
sql > connect to "username" identified by "password " using ' db_name".
In the above statement , in place of password , am I supposed to enter the key and if I enter the key will pl/sql automatically decrypt it ?
Looking forward to your illustrations and insights on what exactly happens in such situations .
EDIT
Ok, I had misinterpreted your question. I thought you were creating a login form and wanted to know how to store users passwords. I now understand you simply want to store the passwords for your databases in some other database.
And well, if people that are not supposed to know the passwords for other databases have access to this "password database", then the simple answer is: don't store them there.
Of course, as you noted, by storing passwords in the clear in your DB, anyone will be able to see them. What you need to understand, though, is that encrypting them will not help in any way. If you encrypt them, then your application will need to be able to decrypt them (that is, your application will need to know the key). If your application knows the key, then anyone who has access to your source code is able to take that key and then decrypt the passwords that are stored in the database.
What you should do is store them somewhere only those who are supposed to know the passwords have access to. You can, for example, store them in an encrypted configuration file. The permissions for that file should be set in a way that only the correct OS users (the root, for example) can read it. Then your application will read the password from that file.
You should hash passwords before saving them to the database (ideally in the application level). By hashing, you transform a given input string into another one with a fixed length. The generated string will [ideally] never collide, meaning that "password123" will generate a string, while "password1234" will generate another one completely different.
When the user wants to log-in, you again hash the password he provided and compares it to the hash that is stored on the database. If they're equal, then the password is correct.
If, for some reason, you can't hash at the application level, you can use PL/SQL's built-in hash functions (documentation).
Please note that if you hash with, say, SHA512 and store it directly on the database, there are still ways to discover the original password. To really make your passwords secure in a way no one would be able to "decrypt" them even if they have access to your DB is by hashing the passwords with a random salt. If you want to know more about that, you can read about bcrypt.
my friend created his platform using laravel, and he encrypted the users password using laravel Hash. I never worked with laravel. I'm building a simple Android application to list all the users from his website, using PHP and Java, and i would like to decrypt the passwords for the login.
I usually use md5:
$password = md5($_GET['password']);
But he used a different hash. My password appears encrypted like this:
Q5joXS5QBA0xdV2Ed2c80e12ac10766d48ef5d8a916e445064091725156d7776958a3937b5cbe79
Thanks.
Some small research seems to show that they are hashed using Bcrypt. This is different to encrypting because it is one way. So to check if the two passwords match, you will need to encrypt the user input with Bcrypt and then check if the two match.
http://laravel.com/docs/4.2/security - Info on BCrypt.
You could use this to check if your passwords match up.
http://www.bcrypt-generator.com/
EDIT: I would advise against using md5 encryption as it is not very secure and it can "decrypted" by brute force.
Example: http://www.hashkiller.co.uk/md5-decrypter.aspx
I am using aspnet membership provider and by default HASHED password format were being used behind the scene and recently i got that password retrieval is not possible using that format. so i need to change password format to CLEAR OR ENCRYPTED however after doing this
is there any possible way to change password of existing data through database? OR i need to delete all records and start to create from scratch?
Also how one can handle situation where need to change password format from CLEAR to ENCRYPTED?
No, you will not be able to decrypt a hashed password. Hashing is by definition one-way. The two-way option available is the encrypt option, or clear.
The main function of hashing a password is for one-way encryption. Even internally when values are compared they are compared as hashed values.
[OK, technically one could decrypt a hashed value, but this enters into the realm of hackers, rainbow tables, salt values, and I do not think you wish to go there]
For more please see here
I am very new to web application (ASP.NET). I have source code and database for a complete project.
ASP.NET (Authentication) control is used for login. I don't know the password right now but i can get the login name and password in encrypt format from the database table.
How could I login to the application with only this little information available.
As the control are dynamically created on the pages, it is very hard to debug and find them on runtime.
How could i proceed for login by encrypted password? or is there a way to login by overcoming Authentication control.
The password is probably SHA1 encrypted. Basically what you have to do is SHA1 encrypt the password the user gives you and compare that to the password in your database. Because SHA1 always results to the same thing if the input is the same, you will know that the users given password is correct if both hashes match.
SHA1 encryption is a form of hashing and cannot be reversed.
No, hashed passwords in the database are non-reversible intentionally. This keeps anyone (a hacker?) from reading your database and being able to log in.
As Sam152 said, the passwords are likely SHA1 hashed, so if the passwords are not stored with salt, you can build a rainbow table to find the original password. If they are salted, you need to know the salt to build the rainbow table as well.
You could try implementing custom MembershipProvider by derriving from this class. Then you just override method ValidateUser to meet your requirements. Also remember to modify Web.config.
The point of hashed passwords is that a they can't be used by folks not knowing the decrypted password.
There should be a way to reset the password for users. You could do this and log in based on the reset password.
If you are trying to log in to an active user's account, you may want to consider the implications in doing so without their knowledge (if that is the case). However, if it is just a test user, reseting the password is probably the least cumbersome way. That functionality or procedure should probably be part of web app anyway.
If it's the standard ASP.NET membership stuff, I think it uses a stored proc to check the DB. Just change that and have it return true or whatever.
Adding to the above answers SHA1 encryption output is 40 byte. You should check the length of the encrypted password to get an idea about the kind of encryption..since hash algorithm has predefined no of output bytes, this would help you map with the kind of algorithm and then you should look for possibile salt usage as #MattGWagner said...is the tables in database that stores user information seems like aspnet_users,aspnet_membership, etc? Then this should be the standard authentication provided by windows..Just google and see how it works