Mysql – How to encrypt the passwords of all datasets in the thesql table

encryptionMySQLSecuritysql

I am running an ProFTPD Server with a MySQL backend for user authentication.

The passwords for the users are currently in plaintext. And my goal is, that all the users have encrypted passwords stored in the database.

I know that when I want to encrypt one password from one user I can type in the SQL command:

update users set password= md5('MyPassword') where password="myPassword";

But how can I encrypt all all passwords from all users?

I hope anyone can help me.

Best Answer

update users set password= md5('MyPassword') where password="myPassword";

It is not safe to use MD5 as a hash. MD5 is deprecated

Safe hash algorithms are PBKDF2, bcrypt, scrypt etc. And additionally all hash algorithms have to be used with salt. @Gerald Schneider posted a very good link for this topic: https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords

The problem here is, that none of these save hash algorithm are implemented in mysql. There is an authentication mode for PBKDF2 in ProFTPD in the mod sql module. But there is no way OOTB you can generate a PBKDF2 hashed password, or a password, that is hashed with another safe algorithm, in a mysql database.

A possible solution would be to create an HTML page with PHP. PHP has functions, implemented by default, for generating safe hashed passwords.

I asked in the ProFTPD forum, if anyone there knows another, maybe better answer, to the problem: https://forums.proftpd.org/smf/index.php/topic,12110.0.html

Yes, I know the original question was, how could one hash all the passwords in my database at once with one command. But I think, first, I should look for a safe hash algorithm.

Related Solutions

Debian MySQL User – What is the debian-sys-maint MySQL User?

What is debian-sys-maint used for?

One major thing it is used for is telling the server to roll the logs. It needs at least the reload and shutdown privilege.

See the file /etc/logrotate.d/mysql-server

It is used by the /etc/init.d/mysql script to get the status of the server. It is used to gracefully shutdown/reload the server.

Here is the quote from the README.Debian

* MYSQL WON'T START OR STOP?:
=============================
You may never ever delete the special mysql user "debian-sys-maint". This user
together with the credentials in /etc/mysql/debian.cnf are used by the init
scripts to stop the server as they would require knowledge of the mysql root
users password else.

What is the easiest way to restore it after I've lost it?

The best plan is to simply not lose it. If you really lose the password, reset it, using another account. If you have lost all admin privileges on the mysql server follow the guides to reset the root password, then repair the debian-sys-maint.

You could use a command like this to build a SQL file that you can use later to recreate the account.

mysqldump --complete-insert --extended-insert=0 -u root -p mysql | grep 'debian-sys-maint' > debian_user.sql

Is the password in /etc/mysql/debian.cnf already hashed

The password is not hashed/encrypted when installed, but new versions of mysql now have a way to encrypt the credentials (see: https://serverfault.com/a/750363).

Mysql – SASL (Postfix) authentication with MySQL and Blowfish pre-encrypted passwords

postfix can be configured to use dovecot for SASL authentication, so you might be better off starting the other way around and figuring out if you can get Dovecot to process these hashes.

Keep in mind that hashes are designed not to be "decrypted". When someone wants to log in, the application takes the original salt, the password the user provides and recalculates the hash, if the hashes match, the password was "right".

Are these just raw hashes Devise stores in the database, or are they stored in Modular Crypt Format (starts with $x$...)? If they're in crypt format, Dovecot should be able to support them as long as you specify scheme=CRYPT. The only thing is that I don't see an MCF ID for SHA-1, only $5$ which is SHA-256 and $6$ which is -512 (both are SHA-2 family hashes).

Alternatively, if Devise uses a database-accessible function to create the password (like MySQL's PASSWORD() function) then you should be able to craft a custom database query for authentication using whichever mail server's database connector, which gives you the ability to do something like

SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' AND mysql_pass = password('%w')

Best Answer

Related Solutions

Debian MySQL User – What is the debian-sys-maint MySQL User?

Mysql – SASL (Postfix) authentication with MySQL and Blowfish pre-encrypted passwords

Related Topic