MySQL plain-text to hash passwords

0
votes

I've been working with a clients MySQL database which has users passwords stored in plain text. As I mentioned that this is a huge potential risk we talked about hashing the passwords (not that this is a full solution since it's possible to "de-hash" relatively easily these days) and I've come across a question that I think I might know the answer but I want to be 100% sure.

This client developed a couple desktop applications that require the user to insert their user/password, all in plain-text of course.

So, if we hashed the passwords by updating each password field to its MD5 (for example) hash, would modifying the desktop apps to perform this hash on the password received/input and then compare them (and login) work?

Basically, do the login procedure as it's always been but use hashed passwords instead, being this a transparent and unnoticeable operation to the users?

2
mysqlloginhash
In addition to modifying the desktop application to hash the password in login before sending to database you also need to make sure that users' password are hashed before inserting/updating user passwords to database.vee
Just in case the answer's didn't make it clear: do not use MD5 (or SHA-1) for password hashing. Use either bcrypt, scrypt, or pbkdf2.1615903
the mention of md5 was merely a (simplistic) example as I am aware that md5 and sha-1 aren't really an option these days.Zed_Blade

2 Answers

3
votes

Yes, this will work and should be transparent to the users.

However, it's not very secure. If someone gets a copy of the login database, they'll get the hashed passwords. And since you're sending hashed passwords over the wire, that's all they need to know -- they don't need to unhash it.

It's better to send the plaintext password over the wire, and do the hashing in the server application or database query, e.g.

SELECT *
FROM users
WHERE username = :username AND password = encryption_function(:password)

See Encryption and Compression Functions for the encryption functions available with MySQL.

This way, if someone gets your user database, they'll need to decrypt the passwords for them to be useful to break into your application.

Either way, you should make sure the passwords are transmitted over encrypted connections (e.g. SSL). If someone sniffs the traffic, either mechanism allows them to get whatever they need to login.

3
votes

Yes that would work, as a given hashing function always gives the same result when presented the same input. The only ability your users would loose is password recovery by looking in the db, but that's not the end of the world.

A note however about

it's possible to "de-hash" relatively easily these days.

Choose your hashing function wisely to mitigate this risk - you can go here for some inspiration (tl;dr consider bcrypt, scrypt and pbkdf2)

A criterion that should influence your choice is the existence of ready to use, trustworthy implementations of the selected algorithm, a quick Google search for the language you're using should point you in the right direction here.