tags:

views:

447

answers:

5
+2  Q: 

Store Encrypted Username Hash in Database

I'm currently working on basic user authentication for an app I'm putting together, and I don't have much experience with security.

This said, I understand the practice (and necessity) of salting/storing a (salted) password hash in a database as a blob, as opposed to the password (encrypted or no). I've already implemented this.

Is there anything to be gained by salting/hashing a user name and storing the hash in the database, as opposed to the username in plain-text (or encrypted)? It strikes me this would make it quite a bit harder to determine which users may access the system using the database for authentication.

Since it's vital to make it difficult for someone to crack the password for a user account, wouldn't it also make sense to increase the difficulty for determining which users are viable?

Edit: it's possible some of the language I'm using isn't 100% correct: feel free to correct :-)

Edit2: I changed one of my first points to indicate salting hashes -- thanks everyone for pointing out that I missed this :-)

Edit3: Removed wording indicating I am encrypting/decrypting a password. I'm using salted hashes and am storing that in the DB -- thanks Scotty for pointing this out.

A: 

It's not very fair to your users to store their password in plain text since everybody that has access to your database can see their passwords. You should use a salted hash.

Salt_(cryptography)

mnml  2009-03-29 05:28:30
As I mentioned, I understand storing a password hash (I didn't mention a salt, but I figured it was understood) as opposed to plain text. My question is concerning _usernames_.
bedwyr  2009-03-29 05:31:22
+2  A: 

Short answer: most likely no.

Long answer: Your situation seems to lack the key "my usernames are sensitive because of ..." which raises the question: "Why? What is the specific, demonstrable problem that protecting usernames would solve?"

Without that problem, what you are describing is a common pitfall in security-related development (and really development as a whole): coming up with some idea to secure or obfuscate some part of the system, and then searching for a reason to use it. As with anything in software development, you should avoid doing anything other than exactly what is needed until a clear problem presents itself that can only be solved by using a specific tool.

Extra hint (for free!): salt your password hashes. Plain-old hashes are far less secure.

Rex M  2009-03-29 05:28:48
I appreciate your point of contrived obfuscation, but I'm not convinced it applies to my question. If someone accesses my DB, they would have direct knowledge of user account names. They might not have immediate knowledge of valid passwords, but isn't it still a security hole?
bedwyr  2009-03-29 05:37:05
@bedwyr it depends on the information built into the usernames and whether the data associated with a given name is sensitive.
Rex M  2009-03-29 05:48:54
@Rex, I think I get your point: usernames are typically public knowledge (e.g. create a new user, fail, and you now know a user w/that name exists). This piece of information is negligible as long as it's unrelated to any security implementation/execution. Did I understand correctly?
bedwyr  2009-03-29 05:55:37
Also, thanks for the links. Every bit of knowledge helps :-)
bedwyr  2009-03-29 06:05:04
@bedwyr yes, that was the point I was trying to make :)
Rex M  2009-03-29 06:06:24
@bedwyr or more specifically, your situation seems to lack the key "my usernames are sensitive because of ..." which again raises the question "why? what is the specific, demonstrable problem that protecting usernames would solve?".
Rex M  2009-03-29 06:09:48
@Rex, this last question is a _great_ one. Unless I can think of a reason the username is specifically sensitive (and if I can, I should probably re-think my implementation), then there's no reason to incur the overhead of salting/hashing/calculating...got it! :-)
bedwyr  2009-03-29 06:14:24
Generally usernames are not considered secure, on computer systems for example the username is always typed in plain text, the password is the one that is to be secured.
X-Istence  2009-03-29 07:22:23
A: 

You can never properly evaluate the security of a system by looking at a single part of it in isolation. Whereabouts are you storing the key to decrypt the passwords?

Do the people that have access to the database also have access to the location you are storing the encyption key? If so you've only gained a minor improvement in security by encrypting the passwords and probably nothing much more to gain by encrypting the usernames.

If the decryption key and program using it are more secure than the database - which is pretty unusual, normally the database is in the most secure spot possible - then there would possibly be additional benefit to also encrypting the username as you'd be depriving attackers of useful information in brute force attacks.

sipwiz  2009-03-29 05:33:55
+1  A: 

Probably not. Think of it this way - the username is the application's way of figuring out which account a user is trying to login as. The password is the application's way of figuring out whether the user is actually allowed to login as that account. In practice, this means you're going to look up a row in your accounts table using the username as an index. By encrypting the username, you're simply making it harder to find the right row.

However, if you're using the same encryption scheme to encrypt the username and password, they are pretty much equally secure - if you can break one, you can break the other. Thus, encrypting both makes it harder to lookup the user, but doesn't add any additional security.

Note: In your question you talk about decrypting your password field. You probably want to make this impossible (literally). Most people encrypt their passwords using a one-way hash function of some sort (MD5 and SHA256 are popular), along with a salt. The "one-way" part simply means that once you run something through the function, you can't use what you get out to get what you started with. However, if you start with the same input, you'll always get the same output. The salt is a secret that only your application knows (sort of like an encryption key), which is added to whatever you are encrypting, before it is run through the one-way hash. This makes it impossible to do things like match two encrypted passwords from two different sites (assuming they're using different salts).

Scotty Allen  2009-03-29 05:34:58
Thanks for your thoughts: hashing a username does make it harder (and thus more costly) to lookup a user account. Would using different salts address your second point (e.g. break one your break the other)?
bedwyr  2009-03-29 05:40:56
Not really. Salting the password (which you do anyway) will make the authentication part of the lookup much harder, and then we're back to point one...
Nikhil Chelliah  2009-03-29 05:46:36
...salting the username too gives the hacker twice as much work to do, but that's irrelevant. If they spent 10 hours on the password they can spend 10 hours on the username; if they need to spend 100 years on the password they won't even get to the username.
Nikhil Chelliah  2009-03-29 05:58:51
@Scotty, thanks for your 'Note'; I updated my question. I'm salting the hash and storing the result, and then running the encryption/salt algorithm on the inputted password to see if the result is the same.
bedwyr  2009-03-29 06:03:07
@Nikhil, very good point -- thanks.
bedwyr  2009-03-29 06:03:51
+2  A: 

If you salted & hashed the username, you'd leave yourself with a bit of a chicken & egg problem.

If you salted & hashed the username, how would you find it in the database? You'd need to look up the user's record to find the salt you used to hash the username...

Michael Burr  2009-03-29 06:09:22
Becomes thorny pretty quickly - good catch!
Nikhil Chelliah  2009-03-29 06:25:26

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL