Date: Wed, 09 Oct 2013 18:53:26 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Rich Felker <dalias@...ifal.cx> Subject: Re: Source of bad password hashing practices? MySQL manual... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/09/2013 03:16 PM, Chris Palmer wrote: > There is more bad advice on that page: > > """ ...Even passwords like“xfish98” are very bad. Much better is > “duag98” which contains the same word “fish” but typed one key to > the left on a standard QWERTY keyboard. ... """ > > And then a rather wacky assertion: > > """Invest in a firewall. This protects you from at least 50% of > all types of exploits in any software. Put MySQL behind the > firewall or in a demilitarized zone (DMZ).""" > > Ideally, someone (Seth Arnold started; want to finish?) should > rewrite all the bad stuff on that page, and send it to MySQL's > security contact as a patch. I'd remove the password creation > advice completely (other sources do a better job), and change the > firewall thing to just say something along the lines of, "Avoid > exposing MySQL to the internet... if you must, require > authentication... if you must, use TLS or an SSH tunnel... If you > use TLS, make sure the client correctly authenticates your server, > such as by checking for a specific end-entity certificate/key or a > specific issuer certificate/key...". > > Part of the rewrite should be some advice along the lines of, > "MySQL offers a delightful built-in function you can use for > storing passwords, SCRYPT(). Prefer SCRYPT to other mechanisms like > MD5(), ENCRYPT(), or ... Please note that the ENCRYPT() function is > not safe and has been deprecated as of... To verify passwords, > check that SCRYPT(...) = scrypted_password in your WHERE clause... > Do not log plaintext passwords..." And then give them a patch to > implement SCRYPT and to log a deprecation warning when ENCRYPT is > used. > > Easier said than done, of course; but I wanted to make the point > that Rich was right to raise this issue here (or, at least, > somewhere). Does anyone know the right MySQL security contact? It > isn't immediately obvious from a few web searches, but maybe > secalert_us@...cle.com is right? Making that clear, and maybe > publishing a PGP key, is another thing they could do... > One note, has anyone checked the MariaDB documentation, Percona and so on? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSVfqFAAoJEBYNRVNeJnmT2MIQAK6yvnjpE0cLdNIUxtQykrcT fLTmwRnljRaE5xSkui8Yn6qM6ycwL1rpqTK4lLrTpN2yf/jGyjMCj3G3Cm8TQOFJ rRb0wieIdTj9ZWWFTcnrX/wHJHp70tgBzD+TBun3paDT8DKP/BBuqbnWUJmFdKZI 2eeSpnprkBhkEWfJV9zWRfxBLbmqU7n6bKMf8xamejSs7N4vXNrFBQiXpXFOro/x L9xJXt8uqxU87DVLv4COVRuh3Q+WmVeo3avAdmVO6ShjqCpCb8YqDXaSt+Kx9nPd QpSyLMNko7/QMol4++6zvsob48sZcYIE5BNvBuTdkwvmwZjI5Q4mvd64LkFof2ko 2R5pmHwg7qHRa1THCacnokOs5GrQm7KDFSg4Lugibs4hDNbbk54tw8vo96GSGNqF 7GfL7WdW8gsiKII4TVBdcAySbSfzt9ro7iVtiHnagVm9eYUjDdg13hU/mkjATjgM SBJv0RdMVeTOlgxoKUk6gfRDs5aYbNHABMMLsL2Cj7a2lqMhzw2dyCJBkKNvzYBB nBPxHMtZ9tzGexFCgRWuXtGxhu+G2dOrurgOCoQqY5Y26gGcWcWJ4t2oLx+f1k1/ wq1Y8Jav6h754CUMgMWrWBXyaDzctgt5mbVg0Cyv0FeY88NtP9RZNFuSxLrGxlJl q86ofUJSABD0Mkh1lcve =n+C4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.