Published on by Nayar

Secure Gate or Secure Safe?

Me, Nadim and Ish were having a little talk about how to store passwords in databases.

Traditionally, passwords for a user are hashed using an algorithm such as MD5 and SHA-1 and then the hash gets stored in the database. Since hashing is a 1 way function, you cannot have a function MD5-reversed for example in which you pass in the hash and it will give you the original password. However, using rainbow tables we can try to find the original password.

Another issue with this is that if an attacker gains access to the database, if 2 persons use the same passwords, the hashes will be the same.

The use of a salt passwords can help to make current pre-computed rainbow tables. Me and Nadim were this discussing whether each user should have a different salt or not? And should the salt also be stored in database?

I think the most secure way would be to have 1 common salt for all, 1 salt for each user and then run the hashing algorithm to get the hash to be stored in the database. The common salt should be stored in a text file so as the attacker having the database cannot have the common salt unless he has access to the server file-system itself.

Enter Ish Sookun
Ish was of opinion that if your system is secure enough, there is not need to secure and encrypt the database.

If the database has been configured to accept only the IP of the web server, all files have been rightly chmodded, only the needful php libraries are installed, if all unused ports are blocked correctly, it doesn’t matter whether passwords are stored even in plain text.

He says what’s the point of having a secure safe which cannot be broken if your front gate is open, doors are open, you have no camera in your house. Eventually, the ones who steal your safe will use grinders to open it!

On another extreme, if you have the most secure gate, it doesn’t matter if you walk naked inside and leave your money scattered everywhere on the floor since no one can get past your gate.

Conclusion
I don’t think all companies can have the funds to hire a System Administrator with the caliber of Ish Sookun. If all do, there is only 1 Ish.

Security should be multi-layer IMO. Because we never know when your main gate might be breached.

There was a time the Great Wall of China could be used to defend. But since drones and satellites were invented, all walls are basically useless nowadays.

Leave a Reply

Your email address will not be published. Required fields are marked *