PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Jun 07, 2020 4:26 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Wed Aug 03, 2011 4:19 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
This is a hypothetical situation, but lets say I gain access to a database, but not the file system. This could be a SQL injection voulnerability through some test script in an obscure directory on the webserver, or whatever else you can imagine.

Typically user registration systems are stored in the database as:
UserId, UserName, UserPasswordHash, UserPasswordSalt

Usernames are typically plain text, while password and salt are hashes

My point is, if I have access to the database and I have created an account, I know my own password. So consider the following:

# Fetch My Personal Info
SELECT `userPasswordHash`, `UserPasswordSalt` FROM `users` WHERE `UserName`='my_username';

# Update All Users Info
UPDATE `users` SET `UserPasswordHash`='my_password_hash', `UserPasswordSalt`='my_password_salt';

Now I know everyone's password. I wouldn't have to have any knowledge of the password hashing scheme mechanics to make this work.

In addition to a random user salt, plus a global pepper (stored outside the database), I think it would be beneficial to add the username or id to the password hashing scheme. Tying the username into the hashing scheme would make the hash unique, even if the password and salt were identical.

On the other hand, if I have access to the database, it's already game over, but with that mind set, why hash passwords before storage to begin with?

I don't know, I'm sure most of you have already thought about this before, but it dawned on me while driving to work this morning. Any comments?


Top
 Profile  
 
PostPosted: Fri Aug 05, 2011 12:29 am 
Offline
Forum Commoner

Joined: Thu Aug 28, 2008 7:03 pm
Posts: 55
Hashing passwords is less about protecting your system and more about protecting your users. Many people use the same password everywhere, which means if your system is compromised and your users' passwords are discovered, then higher value attacks against your users are possible, such as bank and e-mail accounts.


Top
 Profile  
 
PostPosted: Fri Aug 05, 2011 12:34 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 2:02 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
In a realistic scenario, you're much, much more likely to gain read-only access to the database than a read-write access. This is the most common intrusion and this is what salt-and-pepper is a good measure against.

That said, even in this attack scenario, if your salting scheme includes the username as part of the per-user salt, you still would not be able to "copy" your credentials over the admin's.


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 3:43 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 4:31 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 4:53 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group