2

Currently I'm working on software which connects to a MySQL database in order to retrieve and store data. The software itself is running as it should be, but I want to implement some new security features.

One of these security features is to store the password of the database user as a hash and not in plain text. For the record, I am NOT using a table to verify users, I'm talking about the database user to connect to the database itself.

I'm currently using a MySQL connection string which sends the password in plain text:

public abstract Database()
    {
        ReadConfig();
        connectionstring = "SERVER=" + server + ";" +
                "DATABASE=" + database + ";" +
                "UID=" + username + ";" +
                "PASSWORD=" + password + ";";
        try
        {
            connection = new MySqlConnection(connectionstring);
        }
        catch (MySqlException ex)
        {
            LogService.Log("ERROR - " + ex.ToString());
        }
    }

I also store this data on the user's computer, so the user can change the server address, database, username and password. As I said, this is stored in plain text. Server addresses, database names and usernames stored as plain text are fine by me, but I don't want to store the password in plain text.

Generating a SHA1 hash (or other hashing method) is not the problem, as I already have a method to generate these hashes.

In short, I would like to save the password as a hash, and use that hash in de connection string. How can I implement this?

EDIT: I'm aware this is a 'security through obscurity' solution and it isn't the best way to extend the security of my software. I'm looking into ways to find out how to use challenge-response methods, but in the mean time I would like to implement the above.

Improve this question
5
  • what hash method you as using? Commented Sep 28, 2012 at 10:04
  • 1
    If you were able to implement this it would not provide you any advantage, because an attacker could just sniff the hashed password you sent and replay it later. In order to be effective, your database must support a challenge-response type of authentication, where you tell the database you want to log in as user x, the database sends you a challenge, and your response is based on that challenge + the password -- and I don't think mysql supports this. Commented Sep 28, 2012 at 10:05
  • @CuongLe I current don't use any hashing for this password, but I have a method to generate a SHA1 hash of a string. Commented Sep 28, 2012 at 10:06
  • @mah I understand your point, that would be another step to take. Although I'm fairly sure this will not be a problem on the networks my software will run (closed VPNs), this is something to consider. In the mean time, I would like to solve this without challenge-response communication between client and database. Commented Sep 28, 2012 at 10:08
  • @mah is on the right track here. The advantage of storing the password encrypted is being lost. Even if the code is compiled it can be reverse engineered and the hash can be recovered. One method would be to store the password encrypted and have the application decrypt it before connecting. But once again if the application can a hacker too. But I'm curious what people will come up with. Commented Sep 28, 2012 at 10:15

1 Answer 1

Reset to default
2

The best you can do here is to encrypt the user's login info and use the plaintext when you want to do a login. MySQL won't take the hashed value - if it did, this wouldn't be any more secure than using the original (unhashed) value.

A 'shared secret' challenge would be to use a proxy on your server to control the login. When a client wants to connect, the server proxy would send a long string of random bits. The client would append the (shared) 'secret text' to the end of this, use your SHA-1 hash on it and send it back to the server. The server would do the same with the text and compare the strings. This way it's essentially a different password each time and sniffing it won't matter.

Once the client is authenticated the server proxy would enable communication with the mysql process. Using libmysql (or its c#) equivalent you can duplicate anything that would happen on a 'regular' mysql client.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I know this won't resolve the security issue in the first place, I'm merely trying to save the password on the user's computer as a hash and then sending that hash to the database. Anyway, I'll have to figure something out on how to implement a challenge-response mechanism. Thanks for the information!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.