183
votes
Accepted
Is HostGator storing my password in plaintext?
Yep, that's a big problem, especially if that was your old password (i.e. not a newly assigned one).
Technically, the password might be stored under reversible encryption rather than plain text, but ...
- 52.2k
127
votes
Accepted
Can I conceal which account in my database is the admin account, so an attacker won't know which hash to crack first?
I would say this is a bit too much trouble considering what you get out of it. I think when the attacker has access to the database you have way bigger problems. Obfuscating the admin status of a user ...
- 1,222
122
votes
Accepted
Is it safe/wise to store a salt in the same field as the hashed password?
You should store it in a single field. Do not try to divide it into parts.
I know this might seem a bit unintuitive for people coming from a database background, where the modus operandi is to ...
- 65.8k
107
votes
Accepted
Why is credit card information not stolen more often?
PCI DSS
The major reason for this is a decade long effort by the payment cards industry to limit the extent of such breaches by requiring everyone who handles payment card data to either (a) conform ...
- 8,439
103
votes
Accepted
Storing weakness level of passwords
Password hashing (with salting and slowness) is designed to make it indistinguishable from just having the hash if a password is weak or strong. Adding an additional indicator about the quality of the ...
- 208k
97
votes
Accepted
Is a sha256 hash of a unix timestamp a strong password
... for an entropy of ~330 bits, ...
The question is not how strong a password looks like but how strong it actually is. SHA-256 does not add any entropy at all, so it all depends on what the input ...
- 208k
82
votes
Is HostGator storing my password in plaintext?
Yes, they store passwords in plaintext or equivalent, and definitely transmit them in plain text. This was discovered in 2011.
This is confirmed HostGator being listed on Plaintext Offenders, as well ...
- 67.3k
67
votes
Why are stored procedures and prepared statements the preferred modern methods for preventing SQL Injection over mysql real escape string() function
The problem of SQL injection is essentially the mixing of logic and data, where what should be data is treated as logic. Prepared statements and parameterized queries actually solve this issue at the ...
- 13.2k
53
votes
Accepted
Does password-protecting a database living next to the application add any security?
It makes sense to password protect the database if you secure access to the application's config file that holds the plaintext credentials. When you restrict read access to the application's account ...
- 1,736
48
votes
Is it safe/wise to store a salt in the same field as the hashed password?
What you're missing is that hashes work on the original data, minus the original string. When you want to validate a string against a hash, you take the supplied string, plus the original hash data (...
- 3,798
47
votes
Accepted
Secure Implementation of Password Database
The current general best practices for authentication are in the NIST SP 800-63-3 Digital Identity Guidelines standards, especially in SP-63B Authentication and Lifecycle Management.
These NIST ...
- 6,130
46
votes
Accepted
Is this safe to display MySQL query error in webpage if something went wrong?
End users should never get to see the gory details of your environment.
Instead it is more professional to show a generic 'Sorry something went wrong' page. At least visitors can see that you have a ...
- 8,465
46
votes
Is a sha256 hash of a unix timestamp a strong password
Password complexity is not a matter of having a bunch of random-ish characters.
The purpose of password complexity is to make your password harder to guess, not to make your password "look random....
- 936
35
votes
Accepted
Is this passwordless system secure?
No, this doesn't seem secure.
Collisions
Mersenne Twister is a deterministic RNG, so it's not suitable for most cryptographic tasks (although it's usage makes sense, because if it weren't ...
- 29.8k
28
votes
Business founder wants access to database but has no DB skills
He is the Data Owner. Not you. If you get hit by a bus, he will need access. You should absolutely give him access. This request is not a surprise at all. If you built a website for me, I'd ask the ...
- 132k
27
votes
Can I conceal which account in my database is the admin account, so an attacker won't know which hash to crack first?
Security through obfuscation has limited effectiveness at best - to determine if it is suitable, you need to understand what threats you want to counter. If a threat actor can read your database ...
- 132k
27
votes
KeePass security local malware
Yes - if the malware included a keylogger, for example, it could simply read the master password when you typed it in. The only real way to prevent that would be to have KeePass be the only software ...
- 27.4k
26
votes
Why are stored procedures and prepared statements the preferred modern methods for preventing SQL Injection over mysql real escape string() function
I think the main question here is why string escaping is not as good as the other methods.
The answer is that some edge cases allow injections to slip through even though they are escaped. Stack ...
- 831
23
votes
Accepted
Is deleting files from a database considered a denial of service attack?
Yes, in the sense that anything which "denies service" is a "denial of service".
The CIA Triad defines information security as anything which affects Confidentiality, Integrity, or Availability of ...
- 59.3k
22
votes
Does password-protecting a database living next to the application add any security?
That is kind of an onion protection (also known as "Layered Security" or "Defense in Depth" as seen, for example, in SANS' "Layered Security: Why It Works" whitepaper). If an attacker can reach the ...
- 26.9k
22
votes
Storing weakness level of passwords
I am implementing a system where I need to store passwords in a
database (hashed and all). My issue is that the business side requires
me to not enforce any constraint on them except length (8 ...
- 8,465
21
votes
What's more vulnerable; the data or the DBMS?
No, a database is not always involved.
Let's come up with a random service that happens to be moderately popular. A fairly standard set of components includes:
a user-facing client (webpage or app)
...
- 4,311
18
votes
Accepted
Would encrypting a database protect against a compromised admin account?
Yes, such a system exists; it's called Application-Level Encryption. Under that system the encryption keys (or at least the Key-Encrypting Key, or KEK) are only available to the application. Data is ...
- 73.3k
17
votes
Accepted
Is forbiding the ; char enough to prevent SQL injection?
TL;DR No, your friend is not right. INSERT, UPDATE, DELETE and DROP TABLE aren't the be-all and end-all of SQL risks connected to SQL injection.
The very simplest thing I could do with that query is ...
- 23k
16
votes
Accepted
KeePass security local malware
When your computer is compromised, pretty much any defense on it should be considered broken. Security threat models consider this as an out-of-scope scenario - barring very few exceptions (e.g., the ...
- 2,656
15
votes
Why are stored procedures and prepared statements the preferred modern methods for preventing SQL Injection over mysql real escape string() function
While you can stay safe protecting against SQLi escaping user input, it's important to note that it may not always be enough. In this terrible example, quotes are never needed to perform a successful ...
15
votes
Accepted
How does Google save our passwords on their server?
Passwords should be stored hashed and salted
Because we must assume every database might get breached, plain text passwords should not be stored anywhere. Instead, the password should be hashed, which ...
- 19.4k
14
votes
Accepted
Are MySQL's database files encrypted?
Are MySQL database files that are stored on disk encrypted?
No, they are not.
You can (relatively) easily test this by moving .ibd or .myd files to a different system, where you can still read them....
- 29.8k
13
votes
Is this safe to display MySQL query error in webpage if something went wrong?
No it is definitely not safe because it creates additional SQL injection attack vectors not present otherwise. Example: If you have an SQL injection flow in an insert then this is some kind of "blind" ...
- 2,664
Only top scored, non community-wiki answers of a minimum length are eligible