4

There are many questions on StackOverflow about simple, database-less login systems. I was about to suggest a salted hash approach on a recent one, when I thought: "does it really make sense to do that?".

I have been storing salted hashes on databases for years, and I understand why it's more secure: if the database is compromised, the information it contains won't allow anyone to log into my system (unlike if I were storing plain text passwords in the db).

But in a setup that does not involve a database, does hashing+salting offer any security benefits? The only reason I can think of is, if an attacker gains read-only access to my server-side code, it won't be possible to figure out any passwords. Is this a likely scenario? Because as soon as the attacker gains write access to the files, he can do anything.

So my question is: when setting up very simple, database-less login systems, should passwords be salted/hashed, or just stored as plain-text?

Community
  • 1
  • 1
bfavaretto
  • 71,580
  • 16
  • 111
  • 150
  • *if an attacker gains **read-only** access to my server-side code* **does not equal** *because as soon as the attacker gains **write** access to the files* – Conrad Frix May 21 '12 at 17:04

3 Answers3

3

Yes, it still provides a benefit to hash and salt them. If the script's sourcecode is leaked people could otherwise simply use the hardcoded password or google for the hash and possibly find the input value. With a salted hash neither is possible.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
2

I think the question is answered for you if you can figure out the answer to, "is my source code significantly less likely to be read by an attacker, than is a database?".

I would suggest that it is not -- perhaps your source is somewhat less likely to leak, depending how things are backed up etc. Even so I doubt that it's so much less likely to leak that you can neglect the risk, given that you do not neglect the same risk for databases. The reason that passwords in database should be salted/hashed isn't that there's some special property of databases that means attackers can view their contents[*], it's that attackers can get a look at all kinds of things, one way or another.

In fact source code might even be more likely to leak than a database, given that anyone working on the system might need access to the source, whereas not everyone working on a system necessarily needs access to the contents of the live DB. Not that I think your developers are dishonest (if they are, you have worse problems than the password leaking), just that the logistics around sharing source might introduce more (or just different) ways it can accidentally leak, than the logistics around backing up a DB.

Personally, in your situation I would create a small file on the server containing the hashed/salted password and approximately nothing else. Users installing different instances of the app can generate their own versions of this file, containing their own password, separate from the actual application code. They should lock it down with the same write-access restrictions as they do the source code.

Whether you call this file "a read-only database" or "part of the server code" doesn't affect how easy it is for an attacker to view it, although it might affect whether you refer to the password as "hard-coded".

[*] of course there are potential flaws that are special to particular databases, SQL injection attacks or whatever. Those are not the decisive reason why passwords in databases should be salted and hashed.

Steve Jessop
  • 273,490
  • 39
  • 460
  • 699
  • Thanks. I like the idea of storing the hashed/salted password on a separate, small file. It will even make it a bit more difficult to the attacker - one more place to look, one more file permission to obtain, etc. And you're right, I always thought of the db as more likely to leak, but now I realize it's not necessarily the case. – bfavaretto May 21 '12 at 17:53
  • @bfavaretto: well, I wouldn't say the small file is *necessarily* harder for an attacker to read than the source, just differently difficult. The classic mistake in this area is to misconfigure your web server, so that files with the extension used by your source aren't served but files with the extension used by your data file are! So don't do that, and if someone installing your app does, then at least you have the salt :-) – Steve Jessop May 21 '12 at 18:06
1

Well, as Steve Jessop already outlined. Source code can leak or is more likely to get in some hands. If you hardcode a password (what I understnand) then why not store it as a datastructure of two parts => the salt used and the hashed password. You know it but it never appears in source code. This is also what people do with DB connection strings or similar. Encrypt it with the key lying in the variable beneath it. Thus it never appears right in source code. maybe not even in memory dump unless just crossed.

Robetto
  • 739
  • 7
  • 20