I have exported my data from Parse.com but the passwords are encrypted using bcrypt. I will be storing the data in a MySQL database and users will connect over a simple RESTful API. Assuming I capture the username and password, how do I check this matches the stored password?
I'm going to go out on a limb here and say that there is no way to decrypt the passwords once they're encrypted with bcrypt - this would be a massive security hole for a myriad of reasons. Here are a couple of links that hint towards this being the case:
https://www.parse.com/questions/encryption-decryption-techniques-provided-by-parse-for-passwords-or-urls We use bcrypt internally to store passwords. However, we don't expose the encrypted version of the password in our API, so you wouldn't be able to decrypt it anyway.
How to send Parse user's password to external API Request?
https://stackoverflow.com/questions/35593429/get-parses-user-password-in-decrypted-format
In short, you're going to have to communicate out to your users that they'll need to change their password (or at least confirm it) when you migrate them over to the new service.
I'd suggest a workflow like so:
Inform users that their password needs to be confirmed/re-validated. Up to you whether you inform them that it's due to a data migration, but I usually air on the side of disclosure and honesty. You could do this on a per-user basis or send out a bulk communication.
When a user goes to log into your app next, prompt them to validate their password (or change it). Use the Parse SDK to validate the password, and if authentication is successful, re-encrypt the now-known password using a crypto solution of your choice, then store it in your new BaaS/dB.
If the user cannot validate their password or does not remember, use an email or 2FA verification process to reset their password and store it in the same manner.
It is impossible to decrypt the passwords.
I strongly recommend you to use parse.com database migration tool to export your data to an external MongoDB. You can use Parse Server to serve the RESTful API. It can be easily done by hosting your own self-hosted server or a Parse Hosting solution like https://www.back4app.com
See all options in the link below:
https://github.com/ParsePlatform/parse-server#parse-server-sample-application
Related
on a Windows local network I have a MySql database, several client applications (that only query the database) and one Windows NT service that fills the database on a regular basis.
I am looking for the best way to store database credentials such that all applications can access the database.
For the client applications (that are run by normal users) I store the credentials in the Windows credential manager, that as far as I understand is only visible to the specific user.
My question is:
Where do I best store the MySql credentials such that the Windows service can access the database?
thanks in advance,
Nicolas
The LsaStorePrivateData and LsaRetrievePrivateData functions are a reasonably straightforward method of storing and retrieving a secret. Data stored in this way can only be retrieved by someone with administrative access to the machine. This doesn't provide 100% protection, but (assuming there are no bugs and that the cryptographic algorithm has not been broken) the protection is as good as is logically possible if the secret has to be retrieved by a system service without manual intervention.
There is no built-in GUI for LsaStorePrivateData. You will need to write some code that uses this function to save the MySql credentials. (This code could, however, be located in the same executable as the system service, and accessed via a command-line option.)
The service runs as a user also, so why can't you use the same approach for it? That assumes that the service runs as its own user, or some other secure account.
I'm working on an application in VB.NET that has to connect to a MySQL database and FTP. How secure is it if I used it in an application that I gave to other people. E.g. if I was to let other people use this application would they be able to find out the MySQL and FTP connection details through intercepting packets or something like that?
If that's the case how can I work round this? Also, part of my application is an uploader for users to upload files, is FTP secure for that or are there better alternatives ways in doing that? My server is a Windows Server 08 if that makes any difference.
Thanks in advance.
FTP is plaintext. It is very easy to get user names and passwords just by packet sniffing. If the ftp is supposed to be secure rather look ay sftp or ftps solutions. These use SSL type encryption on the network layer. Never ever use a ftp server for sensitive information.
MySQL traffic can also be sniffed though it is considerably harder to reverse engineer the protocol. If data has to flow between client and mysql in a secured fashion you can configure mysql to use SSL certificates to encrypt the information. This will ensure security is of highest standards.
It depends, but as per Accessing SQL Server with Explicit Credentials article and it is applicable to MySql as well:
The recommended method is to store the predetermined user name and
password on the server, and then read it and add it to the connection
string at run time. An advantage of this technique is that your
application can access the database using different credentials under
different circumstances, depending on what it needs to do in the
database.
Security Note Never hard-code credentials as strings into programs in your application. Anyone who can get access to the code
file, even the compiled code, will be able to get at the credentials.
Security Note Always give a predetermined user name the minimal access privileges to a resource. Never use "sa" or any other
administrative-level user name. Always use passwords
My problems is as follows. I use a SQL Server 2008 database. I don't want to put db passwords in plain text on my configuration. I know that there is an option to encrypt the app.config like the following article explains, but in my case I don't think it is sufficiently secure. Someone proposed that I will try to search for a way to use client side certificates to connect the database. I could not find a way to do it and appreciate your help here.
Many thanks,
ikaso
Based on comments to the quesion..
If you use "Windows Authentication" then no passwords are needed.
The credentials are taken from the token of the logged in user. The "logged in" user can be
A human using some app
IIS App Pool credentials
Windows Service credentials
So the password entry is done when configuring IIS or the service, or when the human logs in.
This assumes a domain of course...
I am working on a site that will be using HTML5 sockets to communicate with other server. At that time our users will be logged in , I can't code on other server . I am using PHP at server side. I don't know whether other server has even PHP or not. Client says PKI is a solution. So if user login on our server then I start their communication with HTML5 sockets towards other server to send and receive data. So how can other server authenticate them? I also think that I can have a userkey (like 32hash format) that is sent with HTML5 socket while communication that other server validate and then start working with that user. So client says that hacker can see data over network so I think SSL can work for it. What you guys suggest in such scenario? Please advise
More details:
There will be connection made between our users and another server using apache thrift(will be using TCP), and scenario is that user will login to our site, then we will connect them via HTML5socket to apache thrift on different domain, so in HTML5socket communication we will be forwarding userid to tell thrift server that which user is this, so it is fine. But there are two problems,
As HTML5sockets are at client side then a hacker can create his/her own socket and connect to that server in same way and use some one's id as these are just simple integers.
If we will append some thing in data then a hacker sitting on the network can get it like some hackers do this for session hijacking.
So that's why I am not sure that whether using a sort of SSL or TLS will solve the problem or some PKI or some other digital certificate. So that's why I am asking that here.
thanks
SSL cannot solve this problem. SSL is about creating a secure link between the client and server, it does absolutely nothing to protect the server from a malicious client. SSL cannot solve the problem of SQL Injection or in your case Insecure Direct Object Reference relating to the user id. Judging by this SSL suggestion you probably have never heard of TamperData, which allows you to read/intercept and modify all HTTPS traffic generated by your browser (Including components like flash and JavaScript), BURP is more advanced but does the same thing.
The right way to do this is to have a shared session store that your collection of servers can access. The client is issued a very large random number or cryptographic nonce that it uses as a verification token, which is kind of like a session id. This verification token is used to look up session state in the data store. The communal session store could be as simple as a PHP page that accepts the verification token as a parameter and tells you if its linked to a valid session.
Having 3rd parties issue a callback to verify the session is really the "right way" to do this. It is possible to do this with cryptography, although it is a misuse of cryptography because it introduces the possibility of an attack, where as a callback is absolute. The PHP server can issue the JavaScript client an HMAC token consisting of the user id, a timestamp and the message authentication code. The tricky part is that both the PHP server and any 3rd party will have to share a secret in order to verify the message authentication code. If done properly you can transmit the client can transmit the token, and 3rd parties can verify that the session hasn't expired based on the timestamp and that your servers issued the token (instead of a hacker's forgery) based on the message authentication code.
Can one easily 'plug-in' an existing credentials repository to use when authenticating users on a DotNetNuke web site and can we then take advantage of the DNN authorization framework?
More specifically: we have a database of user credentials (mySql) used to authenticate users. We're investigating using DNN for a new web site but are restricted to using the existing credentials repository. We can easily make the repository accessible but will we need to do any 'tweaking in the MS-Sql database that DNN uses etc?
Btw, am complete DNN newbie and just investigating feasability.
Pointers appreciated.
DotNetNuke has an authentication provider and membership provider, both of which you would probably need to implement to be able to use a separate database for credentials (though if it's just for credentials, you would just write an authentication provider to check that database upon login, then user regular DNN users for the membership part, if you're not pulling profile info from there).
As Brian Dukes mentioned there is a provider model that makes this really easy. And I might be able to get your 99% of the way there. I have a commercial product External Database Authentication Provider that connects to any external SQL Server for this type of thing. Now it only communicates to SQL Server, but you can either grab the source and make 2-3 changes and be set, or I know other users in the past have actually created a SP in SQL Server that went to MySQL and used my module as is.