views:

7890

answers:

16

I've inherited a web app that I've just discovered stores over 300,000 usernames/passwords in plain text in a SQL Server database. I realize that this is a Very Bad Thing™.

Knowing that I'll have to update the login and password update processes to encrypt/decrypt, and with the smallest impact on the rest of the system, what would you recommend as the best way to remove the plain text passwords from the database?

Any help is appreciated.

Edit: Sorry if I was unclear, I meant to ask what would be your procedure to encrypt/hash the passwords.

Should I just:

  1. Make a backup of the DB
  2. Update login/update password code
  3. After hours, go through all records in the users table hashing the password and replacing each one
  4. Test to ensure users can still login/update passwords

I guess my concern is more from the sheer number of users so I want to make sure I'm doing this correctly.

A: 

hash them with md5. that's what is usually done with passwords.

Mladen Prajdic
Gavin Miller
The problem with MD5 and SHA1 for hashing passwords is not that they're 'broken' - it's that they hash too fast: http://www.securityfocus.com/blogs/262
Michael Burr
@Mike - No they're actually broken. It's been proven that collisions can be generated with either algorithm:http://www.schneier.com/blog/archives/2005/06/more_md5_collis.htmlhttp://www.schneier.com/blog/archives/2005/02/sha1_broken.html
Gavin Miller
Those collisions don't really reduce the security of the password scheme, particularly given that one will be using a salt.
Marcin
+2  A: 

As the others mentioned, you don't want to decrypt if you can help it. Standard best practice is to encrypt using a one-way hash, and then when the user logs in hash their password to compare it.

Otherwise you'll have to use a strong encryption to encrypt and then decrypt. I'd only recommend this if the political reasons are strong (for example, your users are used to being able to call the help desk to retrieve their password, and you have strong pressure from the top not to change that). In that case, I'd start with encryption and then start building a business case to move to hashing.

Cory Foy
+9  A: 

I would imagine you will have to add a column to the database for the encrypted password then run a batch job over all records which gets the current password, encrypts it (as others have mentiond a hash like md5 is pretty standard edit: but should not be used on its own - see other answers for good discussions), stores it in the new column and checks it all happened smoothly.

Then you will need to update your front-end to hash the user-entered password at login time and verify that vs the stored hash, rather than checking plaintext-vs-plaintext.

It would seem prudent to me to leave both columns in place for a little while to ensure that nothing hinky has gone on, before eventually removing the plaintext passwords all-together.

Don't forget also that anytime the password is acessed the code will have to change, such as password change / reminder requests. You will of course lose the ability to email out forgotten passwords, but this is no bad thing. You will have to use a password reset system instead.

Edit: One final point, you might want to consider avoiding the error I made on my first attempt at a test-bed secure login website:

When processing the user password, consider where the hashing takes place. In my case the hash was calculated by the PHP code running on the webserver, but the password was transmitted to the page from the user's machine in plaintext! This was ok(ish) in the environment I was working in, as it was inside an https system anyway (uni network). But, in the real world I imagine you would want to hash the password before it leaves the user system, using javascript etc. and then transmit the hash to your site.

xan
Thanks, while I don't like keeping the passwords around, they have already been around for years... The system sends out several emails that include passwords so I'll have to look at those before deciding on using a hash.
Jonathan S.
What happens if they have javascript turned off?
Malfist
You can't hash the password on the user's machine. The hashing has to be done by a trusted system. (Otherwise anyone that's stolen a copy of the password table can just send you the hash; the hash has become the password.) But, yes, this does require a secure transport like HTTPS from the user.
erickson
@Malfist: That is quickly turning into a historical concern. Very, very few people disable js. In that case, though, I would send the unhashed pass to the server and accommodate for that in server-side code. It would simply be a less-ideal fallback.
Lucas Oman
@erickson: for those who are particularly paranoid, you can store the pass double-hashed in the DB and accept a single-hashed pass from the client.
Lucas Oman
Either hash or don't hash. Hashing on the client is pointless. The threat model you're addressing with a hash is exposure of the password database. If that's not a concern, don't hash at all. Otherwise, you can't authenticate using a hash produced by the user (or read from a stolen database copy).
erickson
It may be uber-paranoid, I was just mentioning something that I didn't address properly at the time. As I said, I don't have real-world, active experiance of best practice in this area but it is somethingworth considering.
xan
A: 

To hash the password you can use the HashBytes function. Returns a varbinary, so you'd have to create a new column and then delete the old varchar one.

Like

ALTER TABLE users ADD COLUMN hashedPassword varbinary(max);
ALTER TABLE users ADD COLUMN salt char(10);
--Generate random salts and update the column, after that
UPDATE users SET hashedPassword = HashBytes('SHA1',salt + '|' + password);

Then you modify the code to validate the password, using a query like

SELECT count(*) from users WHERE hashedPassword = 
HashBytes('SHA1',salt + '|' + <password>)

where <password> is the value entered by the user.

Vinko Vrsalovic
+1  A: 

For authentication purposes you should avoid storing the passwords using reversible encryption, i.e. you should only store the password hash and check the hash of the user-supplied password against the hash you have stored. However, that approach has a drawback: it's vulnerable to rainbow table attacks, should an attacker get hold of your password store database.

What you should do is store the hashes of a pre-chosen (and secret) salt value + the password. I.e., concatenate the salt and the password, hash the result, and store this hash. When authenticating, do the same - concatenate your salt value and the user-supplied password, hash, then check for equality. This makes rainbow table attacks unfeasible.

Of course, if the user send passwords across the network (for example, if you're working on a web or client-server application), then you should not send the password in clear text across, so instead of storing hash(salt + password) you should store and check against hash(salt + hash(password)), and have your client pre-hash the user-supplied password and send that one across the network. This protects your user's password as well, should the user (as many do) re-use the same password for multiple purposes.

Mihai Limbășan
Salt does not need to be secret, and it's burdensome to keep its secrecy.
erickson
Also, to be clear - the salt should be *different* and *random* for each instance. Not pre-chosen once and used for all hashes.
Michael Burr
Mike is of course right in principle, however it's not always possible to change the salt every time (depending on the app specifics), in which case the salt must be kept secret.
Mihai Limbășan
A: 

As with all security decisions, there are tradeoffs. If you hash the password, which is probably your easiest move, you can't offer a password retrieval function that returns the original password, nor can your staff look up a person's password in order to access their account.

You can use symmetric encryption, which has its own security drawbacks. (If your server is compromised, the symmetric encryption key may be compromised also).

You can use public-key encryption, and run password retrieval/customer service on a separate machine which stores the private key in isolation from the web application. This is the most secure, but requires a two-machine architecture, and probably a firewall in between.

davidcl
Inability of staff to look up a user's password is a feature, not a drawback. Support of password retrieval isn't a tradeoff, it's a surrender.
erickson
I think that's an unfortunately absolutist position to take on this. It really depends on the security value of the information protected by that password.
davidcl
It also depends further on the size and trustworthiness of the staff in question. Password lookup makes much more sense in a small organization than in a large one.
davidcl
You never know what a given password protects; expect users to reuse passwords for their bank on your toy web app. Even if your staff is trustworthy (even if it's just YOU), you can't rule out the possibility of an external attacker getting at your password database.
erickson
If staff has a legitimate need to access another user's account, that capability should be built into the system without the staff needing to log in as the user. And the perceived need for a 'password retrieval' system can be replaced by a 'password reset' system.
Michael Burr
+3  A: 

Follow Xan's advice of keeping the current password column around for a while so if things go bad, you can rollback quick-n-easy.

As far as encrypting your passwords:

  • use a salt
  • use a hash algorithm that's meant for passwords (ie., - it's slow)

See Thomas Ptacek's Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes for some details.

Michael Burr
+4  A: 

I think you should do the following:

  1. Create a new column called HASHED_PASSWORD or something similar.
  2. Modify your code so that it checks for both columns.
  3. Gradually migrate passwords from the non-hashed table to the hashed one. For example, when a user logs in, migrate his or her password automatically to the hashed column and remove the unhashed version. All newly registered users will have hashed passwords.
  4. After hours, you can run a script which migrates n users a time
  5. When you have no more unhashed passwords left, you can remove your old password column (you may not be able to do so, depends on the database you are using). Also, you can remove the code to handle the old passwords.
  6. You're done!
DrJokepu
+3  A: 
  • Encrypt using something like MD5, encode it as a hex string
  • You need a salt; in your case, the username can be used as the salt (it has to be unique, the username should be the most unique value available ;-)
  • use the old password field to store the MD5, but tag the MD5 (i.e.g "MD5:687A878....") so that old (plain text) and new (MD5) passwords can co-exist
  • change the login procedure to verify against the MD5 if there is an MD5, and against the plain password otherwise
  • change the "change password" and "new user" functions to create MD5'ed passwords only
  • now you can run the conversion batch job, which might take as long as needed
  • after the conversion has been run, remove the legacy-support
mfx
It's also common to use a random salt for each user and store it alongside the hashed password.
Michael Haren
Something that is unknown to the user would make a more secure salt. Perhaps an internal userID or, as Michael suggested, a specially created salt value. If you're using a publicly available unique salt, like username, you should probably also salt with a constant just for good measure.
rmeador
As i understand it, salting has the purpose to prevent dictionary attacks (pre-computing the hashes of a popular passwords and comparing users to them). The salt is always visible, it is not a secret. So why not use the user name, since it is already known, and guaranteed to be unique?
mfx
User name is not a bad salt, if you consider a single system. But it would probably be worthwhile for attacker like a repressive government to make dictionaries for the most common user names to increase their chances of breaking into multiple sites. It's better to choose and store a random salt.
erickson
A: 

I'm not a security expert, but i htink the current recommendation is to use bcrypt/blowfish or a SHA-2 variant, not MD5 / SHA1.

Probably you need to think in terms of a full security audit, too

Gene T
+13  A: 
erickson
As far as hash generation supposed to be slow - that depends on the use of the hash. For password storage, thats a desirable quality. For message authentication, it may not be (particularly if the messages being authenticated are network packets).
Michael Burr
Good point; slowness is important for protecting against an offline attack. In a network protocol, a man-in-the-middle probably wouldn't have time to find a collision even with a very fast hash, as long as it wasn't broken.
erickson
A well-worded explanation of password encryption and terms, thanks.
JYelton
+25  A: 

When you hash the passwords use DO NOT USE PLAIN MD5.

Use PBKDF2, which basically means using a random salt to prevent rainbow table attacks, and iterating (re-hashing) enough times to slow the hashing down - not so much that your application takes too long, but enough that an attacker brute-forcing a large number of different password will notice

From the document:

  • Iterate at least 1000 times, preferably more - time your implementation to see how many iterations are feasible for you.
  • 8 bytes (64 bits) of salt are sufficient, and the random doesn't need to be secure (the salt is unencrypted, we're not worried someone will guess it).
  • A good way to apply the salt when hashing is to use HMAC with your favorite hash algorithm, using the password as the HMAC key and the salt as the text to hash (see this section of the document).

Example implementation in Python, using SHA-256 as the secure hash:

from hashlib import sha256
from hmac import HMAC
import random

def random_bytes(num_bytes):
  return "".join(chr(random.randrange(256)) for i in xrange(num_bytes))

def pbkdf_sha256(password, salt, iterations):
  result = password
  for i in xrange(iterations):
    result = HMAC(result, salt, sha256).digest() # use HMAC to apply the salt
  return result

NUM_ITERATIONS = 5000
def hash_password(plain_password):
  salt = random_bytes(8) # 64 bits

  hashed_password = pbkdf_sha256(plain_password, salt, NUM_ITERATIONS)

  # return the salt and hashed password, encoded in base64 and split with ","
  return salt.encode("base64").strip() + "," + hashed_password.encode("base64").strip()

def check_password(saved_password_entry, plain_password):
  salt, hashed_password = saved_password_entry.split(",")
  salt = salt.decode("base64")
  hashed_password = hashed_password.decode("base64")

  return hashed_password == pbkdf_sha256(plain_password, salt, NUM_ITERATIONS)

password_entry = hash_password("mysecret")
print password_entry # will print, for example: 8Y1ZO8Y1pi4=,r7Acg5iRiZ/x4QwFLhPMjASESxesoIcdJRSDkqWYfaA=
check_password(password_entry, "mysecret") # returns True
orip
I've always understood that hashing a hash is not something you should do, as the possibility of hash collision increase with each iteration. But does this hash(salt+hash) circumvent this? The amount of characters aren't all that many, after all...
Henrik Paul
You're right, re-hashing may reduce the search space (salt doesn't help), but this is irrelevant for password-based cryptography.To reach the 256-bit search space of this hash you'd need a completely random password, 40 characters long, from all available keyboard characters (log2(94^40)).
orip
A: 

MD5 and SHA1 have shown a bit of weakness (two words can result in the same hash) so using SHA256-SHA512 / iterative hashes is recommended to hash the password.

I would write a small program in the language that the application is written in that goes and generates a random salt that is unique for each user and a hash of the password. The reason I tend to use the same language as the verification is that different crypto libraries can do things slightly differently (i.e. padding) so using the same library to generate the hash and verify it eliminates that risk. This application could also then verify the login after the table has been updated if you want as it knows the plain text password still.

  1. Don't use MD5/SHA1
  2. Generate a good random salt (many crypto libraries have a salt generator)
  3. An iterative hash algorithm as orip recommended
  4. Ensure that the passwords are not transmitted in plain text over the wire
Kudos2u2
+1  A: 

Step 1: Add encrypted field to database

Step 2: Change code so that when password is changed, it updates both fields but logging in still uses old field.

Step 3: Run script to populate all the new fields.

Step 4: Change code so that logging in uses new field and changing passwords stops updating old field.

Step 5: Remove unencrypted passwords from database.

This should allow you to accomplish the changeover without interruption to the end user.

Also: Something I would do is name the new database field something that is completely unrelated to password like "LastSessionID" or something similarly boring. Then instead of removing the password field, just populate with hashes of random data. Then, if your database ever gets compromised, they can spend all the time they want trying to decrypt the "password" field.

This may not actually accomplish anything, but it's fun thinking about someone sitting there trying to figure out worthless information

Kevin
Good point about Step 2 being needed early in the process. I share your enjoyment of the dummy password field too :)
Kristen
+1  A: 

That was a problem of mine couple of weeks ago. We were deploying a large MIS project to 975 different geographical locations where our own user credential store will be used as an authenticator for different set of already implemented and in-use applications. We already provided both REST and SOAP based authentication service but customer insisted to be able to reach the user credential store from other applications with just a a DB connection to read-only view of related table or view. Sigh... (this highly coupled bad design decision is a subject of another question).

That forced us to sit and convert our salted and iteratively hashed password storage scheme to a specification and provide some different language implementations for easy integration.

We called it Fairly Secure Hashed Passwords or FSHP in short. Implemented it in Python, Ruby, PHP5 and released it to Public Domain. Available to be consumed, forked, flamed or spit on GitHub at http://github.com/bdd/fshp

FSHP is a salted, iteratively hashed password hashing implementation.

Design principle is similar with PBKDF1 specification in RFC 2898 (a.k.a: PKCS #5: Password-Based Cryptography Specification Version 2.0.) FSHP allows choosing the salt length, number of iterations and the underlying cryptographic hash function among SHA-1 and SHA-2 (256, 384, 512). Self defining meta prefix at the beginning of every output makes it portable while letting the consumer to choose its own password storage security baseline.

SECURITY:

Default FSHP1 uses 8 byte salts, with 4096 iterations of SHA-256 hashing. - 8 byte salt renders rainbow table attacks impractical by multiplying the required space with 2^64. - 4096 iterations causes brute force attacks to be fairly expensive. - There are no known attacks against SHA-256 to find collisions with a computational effort of fewer than 2^128 operations at the time of this release.

IMPLEMENTATIONS:

  • Python: Tested with 2.3.5 (w/ hashlib), 2.5.1, 2.6.1
  • Ruby : Tested with 1.8.6
  • PHP5 : Tested with 5.2.6

Everyone is more than welcome to create missing language implementations or polish the current ones.

BASIC OPERATION (with Python):

>>> fsh = fshp.crypt('OrpheanBeholderScryDoubt')
>>> print fsh
{FSHP1|8|4096}GVSUFDAjdh0vBosn1GUhzGLHP7BmkbCZVH/3TQqGIjADXpc+6NCg3g==
>>> fshp.validate('OrpheanBeholderScryDoubt', fsh)
True

CUSTOMIZING THE CRYPT:

Let's weaken our password hashing scheme. - Decrease the salt length from default 8 to 2. - Decrease the iteration round from default 4096 to 10. - Select FSHP0 with SHA-1 as the underlying hash algorithm.

>>> fsh = fshp.crypt('ExecuteOrder66', saltlen=2, rounds=10, variant=0)
>>> print fsh
{FSHP0|2|10}Nge7yRT/vueEGVFPIxcDjiaHQGFQaQ==
Berk D. Demir
That's pretty cool! It would be nice not to specify the variant as a magic number though.
orip
actually it's more than an algo map. at the time of this release, all variants are PBKDF1 implementations and only differ with hash algo (0:SHA1, 1:SHA256, 2:SHA384, 3:SHA512) but to be forward compatible, I picked it as an integer. so it's not a magic number but tastes like it. you're right.
Berk D. Demir
Berk D. Demir
A: 

I would like to suggest one improvement to the great python example posted by Orip. I would redefine the random_bytes function to be:

def random_bytes(num_bytes):
    return os.urandom(num_bytes)

Of course, you would have to import the os module. The os.urandom function provides a random sequence of bytes that can be safely used in cryptographic applications. See the reference help of this function for further details.

Sergio