I am currently recreating my portfolio, which is powered by a node/express backend. I want to have some pages where I can update/add projects to my portfolio, and I know that I will be the only admin on this site. I want to protect these pages with admin credentials. I think a user table on my database (mysql) is overkill though... is it a good idea to store user/(hashed)pass in process.ENV? I feel like theres a better way.
A database can be anything, text file, sql db, json file, even a variable in your program. A database it's just something which store data.
So, for me, you can without any issues store your credentials in the process.env. The only constraint is that you have to restart your server whenever you wan't to change password and you have to inject yourself the credentials in environement variables.
But if you're already have an sql database in your project, the best way is effectively to use a table User with hashed password. With this method you can change your password without restarting your app (but in your case is this really usefull ?) and if you're adding some users, the system will be already in place (but YAGNI)).
Related
I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.
I am writing a multi-user-application in Delphi (Object Pascal).
I want to use either MySql, Oracle or PostgreSQL as database.
I have a table Users with a username and password column.
(I do not want to have seperate DB logins for each user)
Of course the application itself has to connect to the database and authorize users by the entered username and password combination.
Software like SAP, Sage or Social Networks would use the same approach, i would guess?
So the application has to know a DB login username and password to connect to the database and then check the Users table.
My question is:
Where do i save the DB login username and password for the application so it can check the Users table?
I do not want to hardcode it in the application as it can be easily accessed by reverse engineering and then used to directly connect to the database.
Honestly, your best approach is to follow best security practices around your server. You could use a salt, but the hash function will have to live on the server, too, and if a hacker has access to the server in the first place then it won't be long before they find the hash and pull the password.
I think efficient organization actually produces some security through obscurity. That is, put the DB connect credentials and string in a config file. Still, access to the application code will give a hacker the clues to get what they want, but it doesn't mean you shouldn't follow best coding practices.
Then, lock down your box. Work with your security team to make sure it isn't accessible by anyone they don't want accessing it.
Im looking for a way to encrypt a mysql DB so that only a logged in user can access their data, any other user will not be able to access the data, even if they are the system admin and are able to download the .sql file and browse it locally.
Is there a way to implement this ?
Background / Why I would want to do this - Someone was talking to me the other day about creating a web application for use in their industry, they wanted to produce the web app, use it in house, but also offer it to other companies in their industry as a SaaS platform, as a point of trust they wanted to setup their DB so that they could not access the data of what would be their users (which may also happen to be their competitors)
If each user/account holder has to provide a cryptographic key at login, which is stored in the session (not the database) then all their data could be encrypted (hashed) so that anyone with admin access would look at the tables and not see data.
There's no way to guarantee that the administrator, already having database access, couldn't get webserver access and intercept the key, however.
We are storing sensitive data in MySQL, and I want to use AES_ENCRYPT(data, 'my-secret-key-here') and then AES_DECRYPT which works great. My biggest question is how do I secure the key? Previously I just wast storing the key in a web PHP file, so something like:
define("ENCRYPTION_KEY", 'my-secret-key-here');
This really doesn't work though, as our MySQL server and web server are the same physical machine, so if somebody gains access to the server, they can get both the encrypted data stored in MySQL and the key.
Any ideas? I am thinking I need to move the key to a separate server, and read it in remotely. Or, what about generating the encryption key dynamically for each piece of data. For example taking the customer_id and running md5 on it, and then using that as the key.
Put the secret key in a file, change the file owner to the same user as the web server. Remove all permissions on the file for the group and everyone else.
There's a similar question on Superuser (https://superuser.com/questions/139393/linux-file-permissions-access-control-query) -- I'm sure you could get better help over there, or just by Googling for more information about file permissions on the system you're running.
A couple options:
Save the decryption key to a file with proper permissions
If you really want to store the key offsite, "mount" a drive from a different machine. You'd still need to setup permissions properly though.
Bottom line is the master password has to be accessible to the server - which means there's no way to completely wall it off. The best you can do is set user/group permissions on it and make sure it's outside the web root.
If you don't need the ability to decode the value back to plain text (ie if you are just comparing values like a password) consider using a hash instead.
We need to deploy application(developed by Java) WAR file in client place which make use of MySql 5.0. But we would like to restrict the client (the application owner, not the webpage visitor) from modifying any data in the database. Is there any way to protect data. The client can make use of the application but they should not be able to change any value in database. How to do that?
Manage Role/User permissions
Create an sql user (you should already have one), which will have only SELECT permission. So it would be something like
GRANT SELECT ON db_base.* TO db_user#'localhost' IDENTIFIED BY 'db_passwd';
http://kb.mediatemple.net/questions/788/HOWTO:+GRANT+privileges+in+MySQL
http://blog.wl0.org/2010/01/managing-mysql-grants/
http://www.ntchosting.com/mysql/grant.html
Check links below for further reading
FOR MySQL
Best Practice for Designing User Roles and Permission System?
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.devshed.com/c/a/MySQL/MySQL-User-Account-Management/
Can't set permissions on MySQL user
http://www.aquafold.com/d7/docs/BD5C99E4-3B55-C812-8318-6338A9A89ED9.html
FOR SQL Server.
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm
http://www.sql-server-performance.com/articles/dba/object_permission_scripts_p1.aspx
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html
http://www.databasejournal.com/features/mssql/article.php/2246271/Managing-Users-Permissions-on-SQL-Server.htm
This is impossible; if you deploy the application at the client, he will have the credentials and will be able to log into the MySQL database and pretent he is the application. And thus he can make any change to the database that your application can.
The only way to solve this securely is to make a tier between the client and your MySQL database, and make sure that you control this so that it is only possible to make 'legal' changes.
Just write the code accordingly so that the user doesn't have any chance to modify the database? I.e. the code doesn't execute any INSERT or UPDATE and/or controls the access based on a login/role.
I honestly really don't forsee any problems here, or the code must be prone to SQL injection attacks.
Update: The above answer is actually irrelevant since the question is clarified. Turning into Community Wiki.