Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 9 Oct 2013 14:16:27 -0700
From: Chris Palmer <snackypants@...il.com>
To: oss-security@...ts.openwall.com
Cc: Rich Felker <dalias@...ifal.cx>
Subject: Re: Source of bad password hashing practices? MySQL manual...

There is more bad advice on that page:

"""
...Even passwords like“xfish98” are very bad. Much better is “duag98”
which contains the same word “fish” but typed one key to the left on a
standard QWERTY keyboard. ...
"""

And then a rather wacky assertion:

"""Invest in a firewall. This protects you from at least 50% of all
types of exploits in any software. Put MySQL behind the firewall or in
a demilitarized zone (DMZ)."""

Ideally, someone (Seth Arnold started; want to finish?) should rewrite
all the bad stuff on that page, and send it to MySQL's security
contact as a patch. I'd remove the password creation advice completely
(other sources do a better job), and change the firewall thing to just
say something along the lines of, "Avoid exposing MySQL to the
internet... if you must, require authentication... if you must, use
TLS or an SSH tunnel... If you use TLS, make sure the client correctly
authenticates your server, such as by checking for a specific
end-entity certificate/key or a specific issuer certificate/key...".

Part of the rewrite should be some advice along the lines of, "MySQL
offers a delightful built-in function you can use for storing
passwords, SCRYPT(). Prefer SCRYPT to other mechanisms like MD5(),
ENCRYPT(), or ... Please note that the ENCRYPT() function is not safe
and has been deprecated as of... To verify passwords, check that
SCRYPT(...) = scrypted_password in your WHERE clause... Do not log
plaintext passwords..." And then give them a patch to implement SCRYPT
and to log a deprecation warning when ENCRYPT is used.

Easier said than done, of course; but I wanted to make the point that
Rich was right to raise this issue here (or, at least, somewhere).
Does anyone know the right MySQL security contact? It isn't
immediately obvious from a few web searches, but maybe
secalert_us@...cle.com is right? Making that clear, and maybe
publishing a PGP key, is another thing they could do...

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.