I am writing a multi-user-application in Delphi (Object Pascal).
I want to use either MySql, Oracle or PostgreSQL as database.
I have a table Users with a username and password column.
(I do not want to have seperate DB logins for each user)
Of course the application itself has to connect to the database and authorize users by the entered username and password combination.
Software like SAP, Sage or Social Networks would use the same approach, i would guess?
So the application has to know a DB login username and password to connect to the database and then check the Users table.
My question is:
Where do i save the DB login username and password for the application so it can check the Users table?
I do not want to hardcode it in the application as it can be easily accessed by reverse engineering and then used to directly connect to the database.
Honestly, your best approach is to follow best security practices around your server. You could use a salt, but the hash function will have to live on the server, too, and if a hacker has access to the server in the first place then it won't be long before they find the hash and pull the password.
I think efficient organization actually produces some security through obscurity. That is, put the DB connect credentials and string in a config file. Still, access to the application code will give a hacker the clues to get what they want, but it doesn't mean you shouldn't follow best coding practices.
Then, lock down your box. Work with your security team to make sure it isn't accessible by anyone they don't want accessing it.
Related
I am currently recreating my portfolio, which is powered by a node/express backend. I want to have some pages where I can update/add projects to my portfolio, and I know that I will be the only admin on this site. I want to protect these pages with admin credentials. I think a user table on my database (mysql) is overkill though... is it a good idea to store user/(hashed)pass in process.ENV? I feel like theres a better way.
A database can be anything, text file, sql db, json file, even a variable in your program. A database it's just something which store data.
So, for me, you can without any issues store your credentials in the process.env. The only constraint is that you have to restart your server whenever you wan't to change password and you have to inject yourself the credentials in environement variables.
But if you're already have an sql database in your project, the best way is effectively to use a table User with hashed password. With this method you can change your password without restarting your app (but in your case is this really usefull ?) and if you're adding some users, the system will be already in place (but YAGNI)).
I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.
Im looking for a way to encrypt a mysql DB so that only a logged in user can access their data, any other user will not be able to access the data, even if they are the system admin and are able to download the .sql file and browse it locally.
Is there a way to implement this ?
Background / Why I would want to do this - Someone was talking to me the other day about creating a web application for use in their industry, they wanted to produce the web app, use it in house, but also offer it to other companies in their industry as a SaaS platform, as a point of trust they wanted to setup their DB so that they could not access the data of what would be their users (which may also happen to be their competitors)
If each user/account holder has to provide a cryptographic key at login, which is stored in the session (not the database) then all their data could be encrypted (hashed) so that anyone with admin access would look at the tables and not see data.
There's no way to guarantee that the administrator, already having database access, couldn't get webserver access and intercept the key, however.
Here's my situation: I have a file, homepage.php, that I want to allow my customers to host on their servers. homepage.php needs to somehow get information from my database, but I don't want my customers to have full access to my database. What's the best way to do this and how can I make it work?
I tried to do it by including the line:
require( "http://www.mydomain.com/connect.php" );
in homepage.php but I'm not sure if that's the right way and also, it gives me an error.
What error does it give you? Also that won't work because your server parses the PHP and send back the result, rather than including the source code like you want.
Easy solution
Have a read-only account, and give those details out to your customer's pages.
Then they can set up the mysql connection with the IP/exposed port of your mysql server and log-in from there.
Better solution
Have accounts for each customer, so privileges can vary accordingly, otherwise same as above.
Best solution
Expose access via a SOAP service. If you have enough customers and they're developing with you, an API is invaluable.
Without the warning it is hard to troubleshoot the connection issue although I bet it might have something to do with it looking at localhost versus the IP of the machine where the database resides.
The best solution is to have an ini file that has the username and password in it for each individual customer and have the connect.php file look for the ini file on that customers local webserver. You can then configure the priveleges for each account to have only select access to certain tables, or update priveleges to certain users, etc.
Also if your customers will be building their own code around yours, developing a SOAP service might be useful.
I just realized that there is no best way to hide MySQL string connection password in my executable file, especially in JAR file. Even encrypting it in EXE would only slow down the process (although I'm not sure how much time would it take to get an encrypted password from an EXE file).
So, from my understanding, I need something in the middle that would do the add, edit, delete etc to the database. Seems like a job for REST API or maybe SOAP services.
My question is, which one should I use? Or should I use something else? I was thinking Zend Framework to create those REST APIs. Then, I would use Qt to create a desktop application to call those APIs. But if I proceed with REST, my application would be a 3 tier application. Wouldn't it be better if I just create a web application? Maybe I should just stick to desktop application call those APIs since the application is already finished and I just need to change from connecting directly to MySQL to calling those APIs to perform tasks rather than changing the whole application to a web.
Any advice would be very helpful. Thanks in advance.
UPDATE:
I'm looking for a security that would protect my MySQL password connection.
Obfuscator would only obfuscate the code, it won't hide my string database information which In my opinion can be easily found using grep after decompiling the JAR using tools like JAD.
About my application:
Using a centralized MySQL database
Thousands of user
Contains sensitive information
My client uses Linux and Windows
My server uses Linux
All access are done in LAN, no outside connection (from Internet etc)
My current solutions (comments please):
Using REST APIs (safer since MySQL password is in the server)
Using Qt with encryption to the password
It depends on what kind of security are you looking for. Is this to protect the application from the user? To protect the user's data from other users? To protect multiple users' data from one another? To protect the user's data from an attacker?
In a lot of applications there's nothing wrong with storing the database login credentials in plain text. In other cases, you might try:
encrypting a user-chosen database password using a reasonably strong algorithm, e.g. Blowfish, using a hard-coded key;
having the user provide the password and "log in" to the program each time;
storing the database password in plain-text, but encrypt the data using a hard-coded key;
same as the above, but encrypt each user's data using their own provided password;
same as 2 but store each user's data in their own database with their login info as the database credentials;
storing the data on a secure remote database that users have to log into to access via a SOAP API;
using the native filesystem permissions to protect the configuration file holding the login credentials;
same as #1 but rolling your own really elaborate key-generation system: e.g. run the machine SID or a hardware id through MD5 using a randomly-generated salt, and then using the result to encrypt the login credentials.
Remember, there's no such thing as perfect security, so whatever you settle on doesn't need to be unbreakable. It just needs to be tough enough to break to make the hassle of circumventing the security mechanism exceed the value of the data. So, for example, if the data is a list of the top scores in Minesweeper, then ROT13 would probably be enough.
Edit:
I just want to add that, even if you can't get around having to hard-code an encryption key in your application, there are obfuscators for Java, .NET, and most other popular languages/frameworks. One of the key uses of these tools is to hide sensitive hard-coded strings like encryption keys.
Edit 2:
Given the additional details about the app in question, only 1, 6 and 8 would apply in this case. And a SOAP API is more appropriate for #6 as George rightly pointed out.
I also want to mention that there are Java resource obfuscators that encrypt string literals. This is just one example.
It pretty much depends in what environment your app runs
a) db and client local
b) db and client in a local network
c) db is in the internet
my two cents:
a) I would create a single db user and wouldn't use a password but restrict acces to localhost
b) direct connect to the database is fine but I would each user have to login with his own password and grant only the permissions he needs.
c) It's a bad idea to allow mysql connections to a public server. In this case webservices would be a good solution.
Anyway if your case is b or c I would stick with a login dialog for the user.
Maybe you should have a look at this http://www.greensql.net/ tool.
It is like a firewall but for mysql/postresql
So you can deny anything and only allow queries you want to.
If you are using Java for implementing your database desktop application, I would recommend to use Java DB as the database. There is a few ways of securing it, and there are alternatives to having a password in the connection string. I would recommend to read Java DB Security - Security Features in Java DB Release 10.4
It is easy to deploy your application with Java DB, since you can have much of it embedded in the same jar file. I have used it in a Point of Sale application implemented in Java.