0

I've been working with a clients MySQL database which has users passwords stored in plain text. As I mentioned that this is a huge potential risk we talked about hashing the passwords (not that this is a full solution since it's possible to "de-hash" relatively easily these days) and I've come across a question that I think I might know the answer but I want to be 100% sure.

This client developed a couple desktop applications that require the user to insert their user/password, all in plain-text of course.

So, if we hashed the passwords by updating each password field to its MD5 (for example) hash, would modifying the desktop apps to perform this hash on the password received/input and then compare them (and login) work?

Basically, do the login procedure as it's always been but use hashed passwords instead, being this a transparent and unnoticeable operation to the users?

Improve this question
3
  • In addition to modifying the desktop application to hash the password in login before sending to database you also need to make sure that users' password are hashed before inserting/updating user passwords to database. Commented Jun 25, 2013 at 0:42
  • Just in case the answer's didn't make it clear: do not use MD5 (or SHA-1) for password hashing. Use either bcrypt, scrypt, or pbkdf2. Commented Jun 25, 2013 at 4:03
  • the mention of md5 was merely a (simplistic) example as I am aware that md5 and sha-1 aren't really an option these days. Commented Jun 25, 2013 at 10:05

2 Answers 2

Reset to default
3

Yes, this will work and should be transparent to the users.

However, it's not very secure. If someone gets a copy of the login database, they'll get the hashed passwords. And since you're sending hashed passwords over the wire, that's all they need to know -- they don't need to unhash it.

It's better to send the plaintext password over the wire, and do the hashing in the server application or database query, e.g.

SELECT *
FROM users
WHERE username = :username AND password = encryption_function(:password)

See Encryption and Compression Functions for the encryption functions available with MySQL.

This way, if someone gets your user database, they'll need to decrypt the passwords for them to be useful to break into your application.

Either way, you should make sure the passwords are transmitted over encrypted connections (e.g. SSL). If someone sniffs the traffic, either mechanism allows them to get whatever they need to login.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Don't even joke about using MD5. Please. Seriously. Decrypting MD5 takes micro-seconds. It's practically plain-text.
@tadman Replaced it with a generic, and a pointer to the documentation on encryption functions.
That precisely what I thought the solution would be, just wanted to make sure I could do that transparently. Thanks
It's better to make hash of password on an application side, because of general query log, slow query log, and binary log that would store password as plain text.
3

Yes that would work, as a given hashing function always gives the same result when presented the same input. The only ability your users would loose is password recovery by looking in the db, but that's not the end of the world.

A note however about

it's possible to "de-hash" relatively easily these days.

Choose your hashing function wisely to mitigate this risk - you can go here for some inspiration (tl;dr consider bcrypt, scrypt and pbkdf2)

A criterion that should influence your choice is the existence of ready to use, trustworthy implementations of the selected algorithm, a quick Google search for the language you're using should point you in the right direction here.

Improve this answer

2 Comments

bcrypt is made specifically for encoding passwords and should be your #1 choice. Cryptographic hash functions are not sufficient.
I can only accept one answer as correct so I chose the more complete answer although this is also a correct one. Thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.