I add encryped password using this command:
insert into users values ("new#emal.com",ENCRYPT("password"));
Now I have encrypted passwords in that table. Is it possible to decrypt them and if yes how? What kind of algorithm is this?
Somebody hacked something on my server and is sending mails. It looks like that the password of some old accounts was guessed. So I am trying to find out what password I had there (just changed it). So I can see what password I should stop using.
The ENCRYPT() function doesn't work on MySQL running on Windows.
On Unix-style servers it uses the crypt(3) function. This performs a one-way encryption of the text you pass it.
This is not, repeat not, a secure way to store user passwords any more. If you use this on a network-accessible web site, a cybercriminal is almost certain to pwn your users. Please read this for advice: http://php.net/manual/en/faq.passwords.php
Related
I recently logged into a website (student run club website which stores event and participant information).
After successfully logging in the following message appears and follows me around for the rest of my time on the site:
You are using an insecure password. The password that you entered has
been exposed in at least one data breach.
How do you know my password is insecure? This password appears in a
database of known passwords. Hackers may use this password to try to
break into your accounts.
While I appreciate the notification that my password was compromised (and should know better and will change and stop reusing passwords etc etc) I now worry about the overall security of this site.
I don't know a terrible lot about web dev but my naive assumption, given this message and the fact that it appears after log in, is that my password must have been stored in plain text for them to be able to check it against a database. Is this correct? Or is there some clever secure way this could be done?
Just because you are receiving a notification from the site doesn't mean that your passwords are being stored in plaintext. Whatever website you are using can use your password in the "Have I Been Pwned" API before encrypting them. This of course doesn't necessarily mean that they are encrypting them as there isn't really a surefire way to know how they are storing your passwords without possibly contacting the owner or if you were to receive an email at a later date with your password in it.
You can read up on the API for password checking here haveibeenpwned.com/API or you can check for the website you are using in this list here haveibeenpwned.com/API/Consumers.
I have an application doing things on MySQL. I made it with VB.NET and with standart MySQL library. My question is, is it easy to hack? Can even basic hackers reach my database? And how can i secure it?
Thank you.
You should never save your Passwords in MYSQL_PWD environment. Because there might be a possibility in some versions of "ps" which can show/expose the password clearly to some other user.
Access to the database tables should be restricted to only those who are required to access data from them, otherwise it must not be accessed by some other user.
Automatic Password expiration technique must be up (Usually it's duration is set to 6 months or 180 days).
Sometimes the passwords are sent in a plain text in SQL Queries like Set password etc.
You must usually check the Privileges given to the users and you must use Revoke command to remove unnecessary privileges given to the users.
A Firewall must be installed before the MYSQL Database layer.
I think this answer helped you with your question somewhere.
I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.
I'm writing a c program and need to login to a mysql database. I'm trying to find a simple yet secure way of storing the username and password in the program. The program will make https calls to the mysql server. I just need to be able to include the user/password data and I don't want to store it as a string in the program.
Anyone know a simple yet secure way to do this?
This is on a linux system. raspberry pi debian (jessie).
You should not hardcode username/password into your binary, since it is very unflexible and you will tend to not change this password regularly if you have to recompile the binary each time. Furthermore, binaries are usually not specially read protected, so other users might get your password.
Passing the credentials as program arguments is a bad idea, too, since it might show up in a process list, may be safed in command line histories, may be logged by auditing tools etc. pp., so your password might end up in several places you don't want it to show up.
Your best option is to employ a configuration file with the credentials and give it the minimal rights it needs, so your credentials are safe. A simple library for linux is for example libini, which allows you to store key/value pairs in sections, but there are many other options.
Another quite safe option, which is for example employed by apache for private key passphrases and similar, is to specify a program (usually a shell script), which is executed and outputs the credentials on stdout, which is then parsed by your program. Again, you have to make sure here, that only authorized users/processes may read or execute that script.
How do I check if a user/password pair works without actually making a connection to the database?
The DBMS in question is MySQL.
That was my original question. Since most people get this question wrong, then I should rephrase it as:
How do I check if a MySQL username/password is valid, without connecting to MySQL as that user? (thanks to derobert)
I actually found a solution, check my answer below.
If you want to check if a MySQL username/password is valid, without connecting to MySQL as that user, then you should take a look at the the users table in the mysql database.
But I'd recommend not doing this; that is really an internal MySQL implementation detail, and you really shouldn't depend on it. (e.g., what if MySQL gets LDAP auth someday?)
I think this question is open to interpretation. Most people will jump in and say "You can't.", but if what you are actually asking is "How do I use MySQL to authenticate a user but not actually use the database?" then that's a whole different ball game. Take a look at mod_auth_mysql, an Apache module which does exactly that. If we had more details on what exactly you were trying to do, folks might be more forthcoming.
Login as someone who has access to "mysql" database (schema), and do:
SELECT COUNT(*) FROM MYSQL.USER WHERE USERNAME=? AND PASSWORD=PASSWORD(?)
If the count > 0 then the username/password is correct.
If the username and password are stored in the database, then there's obviously no other way to check them other than to connect first.
The best you could do is perhaps only connect to the DB when they log in. Once they're authenticated, you could store some form of session information on disk, but it's not a great solution.
In short - not posssible if the userid/password are stored in the database.
Authentication basically means that you compare the response to a challenge with known values. If you do not have the values to compare with , you cannot authenticate.
One possible solution would be to devise some sort of scheme where the username/password are an encryption/decryption key pair. Obviously, this would be more feasible in an assigned username world, but such a policy would allow you not to hit the database if that is the primary objective.