Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 09 Oct 2013 18:53:26 -0600
From: Kurt Seifried <>
CC: Rich Felker <>
Subject: Re: Source of bad password hashing practices? MySQL

Hash: SHA1

On 10/09/2013 03:16 PM, Chris Palmer wrote:
> There is more bad advice on that page:
> """ ...Even passwords like“xfish98” are very bad. Much better is
> “duag98” which contains the same word “fish” but typed one key to
> the left on a standard QWERTY keyboard. ... """
> And then a rather wacky assertion:
> """Invest in a firewall. This protects you from at least 50% of
> all types of exploits in any software. Put MySQL behind the
> firewall or in a demilitarized zone (DMZ)."""
> Ideally, someone (Seth Arnold started; want to finish?) should
> rewrite all the bad stuff on that page, and send it to MySQL's
> security contact as a patch. I'd remove the password creation
> advice completely (other sources do a better job), and change the
> firewall thing to just say something along the lines of, "Avoid
> exposing MySQL to the internet... if you must, require
> authentication... if you must, use TLS or an SSH tunnel... If you
> use TLS, make sure the client correctly authenticates your server,
> such as by checking for a specific end-entity certificate/key or a
> specific issuer certificate/key...".
> Part of the rewrite should be some advice along the lines of,
> "MySQL offers a delightful built-in function you can use for
> storing passwords, SCRYPT(). Prefer SCRYPT to other mechanisms like
> MD5(), ENCRYPT(), or ... Please note that the ENCRYPT() function is
> not safe and has been deprecated as of... To verify passwords,
> check that SCRYPT(...) = scrypted_password in your WHERE clause...
> Do not log plaintext passwords..." And then give them a patch to
> implement SCRYPT and to log a deprecation warning when ENCRYPT is
> used.
> Easier said than done, of course; but I wanted to make the point
> that Rich was right to raise this issue here (or, at least,
> somewhere). Does anyone know the right MySQL security contact? It
> isn't immediately obvious from a few web searches, but maybe 
> is right? Making that clear, and maybe 
> publishing a PGP key, is another thing they could do...

One note, has anyone checked the MariaDB documentation, Percona and so on?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.14 (GNU/Linux)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.