Please, for f***'s sake, salt your passwords
In recent weeks, we were hired to check a security breach in a company systems. This company have a lot of projects running in a few servers. Each project is used for a different customer and each project has its own database. The setup of the databases was ok, the database technology they use is MySQL, each database has its own MySQL user. MySQL root user and linux root user are only accesible from the server itself. So, this far, so good.
The problem is that every project recycles the code that handles the system users, including the login. So every project's database has a table named 'user', like this.
CREATE TABLE user
(
id
int(10) unsigned NOT NULL AUTO_INCREMENT,
name
varchar(100) DEFAULT NULL,
email
varchar(20) DEFAULT NULL,
password
varchar(100) DEFAULT NULL,
PRIMARY KEY (id
),
UNIQUE KEY email
(email
)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
And every project, uses the same code to handle this table data including the login. The issue is that the password was stored hashed using simple MD5. If you are not familiar with this term, check this link https://en.wikipedia.org/wiki/MD5
MD5 is a really insecure hashing function. It can be easily cracked via a collision attack with a resourceless computer. And also there are diccionaries, lookup tables and rainbow tables with millions of inputs that have already been cracked. Check this https://crackstation.net/
Before their systems where modified, the records in the 'user' table looked like this:
+------------------+----------------------------------+
| email | password |
+------------------+----------------------------------+
| [email protected] | e99a18c428cb38d5f260853678922e03 |
+------------------+----------------------------------+
| [email protected] | e99a18c428cb38d5f260853678922e03 |
+------------------+----------------------------------+
In this example, both users have the same password hashed in MD5, if you use the link that I wrote before, you will get the password in plain text: 'abc123'.
The security breach was made through a more or less elaborated SQL injection attack and we can assume that the 'user' table of every project was compromised.
In our final inform, we identified the posible SQL injection attack, we recommended to use a different hashing function (sha256 was our suggestion) and also we recommend to salt the passwords.
Salting a password is made to randomize the hashes by appending or prepending another random string (this extra string is the 'salt') to the password before hashing. This makes the same password hash into a completely different string every time.
We recommend an alter to the 'user' table:
CREATE TABLE user
(
id
int(10) unsigned NOT NULL AUTO_INCREMENT,
name
varchar(100) DEFAULT NULL,
email
varchar(20) DEFAULT NULL,
password
varchar(100) DEFAULT NULL,
salt
varchar(100) DEFAULT NULL,
PRIMARY KEY (id
),
UNIQUE KEY email
(email
)
) ENGINE=InnoDB DEFAULT CHARSET=utf8
With this change, the records in the 'user' table look like this:
+------------------+------------------------------------------------------------------+----------------------------------------------+
| email | password | salt |
+------------------+------------------------------------------------------------------+----------------------------------------------+
| [email protected] | 3ccfc6d59d97b314d2f43afc326cfed126e0a094d2f61abb51b590ed1e52be5a | BGqNU2sxhXkhVw3hPFKPkt0wiAtpaSSgsOSGYhWDZLw= |
| [email protected] | b50a93f85f4722596ac453fd17bed870e2bbad25a04c5b0a7a427be6a3e7f0c5 | gkc/DrlyTQQeCAe9VMW6N0al9BqUl27m4DIqpTD8eqE= |
+------------------+------------------------------------------------------------------+----------------------------------------------+
In this example, both users have the same password ('abc123' again), but as you can see, the hashes are completely different. So dictionaries, rainbow tables and lookup tables are useles now.
For a more detailed information look at this link https://crackstation.net/hashing-security.htm
Please, if you are developing a system, consider this, is for our own good. Remember that United States is probably in its way to elect someone that said this about the internet https://www.youtube.com/watch?v=JcmiHx5Yf2I (and also a climate change denier, and is against women's rights to choose, against free trade, wants to bring coal back, etc...)
I hope someone finds this post useful.