|
Message-ID: <CALi+ztF57T3J5N_kYvNLL1b6vCjL1=Bcd9=P3T5E=ym_6kRX=g@mail.gmail.com> Date: Wed, 9 Oct 2013 14:16:27 -0700 From: Chris Palmer <snackypants@...il.com> To: oss-security@...ts.openwall.com Cc: Rich Felker <dalias@...ifal.cx> Subject: Re: Source of bad password hashing practices? MySQL manual... There is more bad advice on that page: """ ...Even passwords like“xfish98” are very bad. Much better is “duag98” which contains the same word “fish” but typed one key to the left on a standard QWERTY keyboard. ... """ And then a rather wacky assertion: """Invest in a firewall. This protects you from at least 50% of all types of exploits in any software. Put MySQL behind the firewall or in a demilitarized zone (DMZ).""" Ideally, someone (Seth Arnold started; want to finish?) should rewrite all the bad stuff on that page, and send it to MySQL's security contact as a patch. I'd remove the password creation advice completely (other sources do a better job), and change the firewall thing to just say something along the lines of, "Avoid exposing MySQL to the internet... if you must, require authentication... if you must, use TLS or an SSH tunnel... If you use TLS, make sure the client correctly authenticates your server, such as by checking for a specific end-entity certificate/key or a specific issuer certificate/key...". Part of the rewrite should be some advice along the lines of, "MySQL offers a delightful built-in function you can use for storing passwords, SCRYPT(). Prefer SCRYPT to other mechanisms like MD5(), ENCRYPT(), or ... Please note that the ENCRYPT() function is not safe and has been deprecated as of... To verify passwords, check that SCRYPT(...) = scrypted_password in your WHERE clause... Do not log plaintext passwords..." And then give them a patch to implement SCRYPT and to log a deprecation warning when ENCRYPT is used. Easier said than done, of course; but I wanted to make the point that Rich was right to raise this issue here (or, at least, somewhere). Does anyone know the right MySQL security contact? It isn't immediately obvious from a few web searches, but maybe secalert_us@...cle.com is right? Making that clear, and maybe publishing a PGP key, is another thing they could do...
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.