• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Database password with MD5

#1
[eluser]Unknown[/eluser]
Hi All,

I am new to PHP and CodeIgniter.

I was wondering is it possible to use MD5 in database config file ?
I am not comfortable to have plain text save in the config file.
I know that I have to limit access and secure the config file, but still would be better possible to make it harder to read the password.

Thanks.

#2
[eluser]Stefan Hueg[/eluser]
You can only use reversable encryptions. MD5 is a hashing algorithm so it won't work as you will never get the original password back.

But anyhow: If you encrypt your database password and someone gets access to your CI files, he will see the config, and how it is encrypted, what the password is (as you have to decrypt it...) so you won't gain any advantages with this approach.

#3
[eluser]WanWizard[/eluser]
Passwords should always be hashed (= one way process), not encrypted.

The most secure way to hash at the moment is using bcrypt or pbkdf2, and combine the password with a random salt for added security.

Ideally a per-user salt, even more ideally regenerated after each login, but if not possible a generic salt stored in a config file or a settings table (or combine the two).

#4
[eluser]Stefan Hueg[/eluser]
[quote author="WanWizard" date="1335956878"]Passwords should always be hashed (= one way process), not encrypted.

The most secure way to hash at the moment is using bcrypt or pbkdf2, and combine the password with a random salt for added security.

Ideally a per-user salt, even more ideally regenerated after each login, but if not possible a generic salt stored in a config file or a settings table (or combine the two).[/quote]

Read his post carefully, he was talking about database config files Wink

#5
[eluser]WanWizard[/eluser]
*** hides in a corner... 8-/

Encryption, no matter which form, is always a problem due to the impracticalities.

To be able to use the encrypted information you need the key, to make this automatic the system doing the decryption needs access to the key. Which means anyone with access to the system also can access the key. Which in turn makes your encryption worthless.

If you require this kind of security for your web frontends (your client facing applications), create API driven applications, so you don't need to store anything in the frontend.

Instead, split your application into a frontend and a backend. The frontend contains the controllers and views. The models don't access a database, but do REST calls to the backend to retrieve the information.

The backend provides the REST API services to deliver the data to the frontend. The backend can be secured (physically and at the network level), the API requests can be secured using request signing (if possible in combination with mutual authentication). And there is no way to access information other then through the API. If there is no API for 'give me all creditcard numbers', no way a hacker can get a list by hacking your frontend.

#6
[eluser]Unknown[/eluser]
@Stefan
That was I thought. I was thinking to create a small function to decode the password and encode the function. So if someone has access to the config file, he won't able to see the function code to decode the password. In that case I think I need to alter the way CI login, which would be troublesome if later need to upgrade CI. What do you think ?

@WanWizard
Do you mean create a web service ? Is it something like Service Object Architecture ? Is it hard or take a long time to implement it ?

I'm still new to this web programming. I need to assess my option before moving forward.

Thank All for your reply.

#7
[eluser]Stefan Hueg[/eluser]
@Jack: Anyone that has physical access to your server can and will decrypt your database password.

Its like if you have a door lock with a key plugged in on the outside.

You wont be able to protect those data.

#8
[eluser]WanWizard[/eluser]
[quote author="Jack Doe" date="1335971033"]
@WanWizard
Do you mean create a web service ? Is it something like Service Object Architecture ? Is it hard or take a long time to implement it ?[/quote]
No, it's quite simple.

Phil Sturgeon created excellent solutions for the server side (the REST controller) and the client side (cURL library).

See http://philsturgeon.co.uk/code/codeigniter-curl and http://philsturgeon.co.uk/blog/2009/06/R...odeIgniter.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.