Member Avatar for savedlema

Hi all!
I'm asking this after reading so many articles on the internet about hashing & salting, and the entire theme of securing database connection settings.

I'm making an application that uses mysql database. Currently, the connection settings are stored as plain text in the Win Registry. Since this is easy to read, I am looking for a way of protecting this password so that even if some bad guy will be able to read it in the registry, he still won't be able to get into my mysql database.

Lots of threads says I should use password hashing with salting. Can someone experienced help me with this?
-Let's say my db password is "yesican", how do I generate the hash&salt
-How do I use the value I saved in the registry, match it with some key to decided where login information is ok or wrong.

I will surely appreciate a guide in this.

Thanks,
Frank.

  • 2 Contributors
  • 3 Replies
  • 1K Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by ryantroop
Member Avatar for ryantroop

Based on your use case, I do not think that a hash is sufficient for your needs. A hash is one-way, and then you do a comparison lookup against the hash.

What you seem to want is encrypted text, with a method for decryption within your application.

Depending on your program language of choice, you will have lots of options on what method of encrypt/decrypt you can use, including the algorithm and whatever data you want to string together (i.e., your data + your salt). Your salt can be anything that is unique to the platform (such as a GUID).

By simply hashing, you will just be putting a hashed version of "yesican" into the registry instead of a plain text version - however, if you cant decrypt it, then you will end up having to use the hash instead of the plain text for the password. (i.e, the hash becomes the password, and the plain texts is irrevokably lost).

I am not a VB writer, but this should at least get you started:
https://msdn.microsoft.com/en-us/library/ms172831.aspx

Member Avatar for savedlema

Thanks ryan...I have been confused with people online who says encryption will not be good its not safe....and others telling me the opposite. Thanks for the link, I'm reading the article.

Member Avatar for ryantroop

You know.. I re-read your post and Im a bit confused... so I want to clarify and maybe direct you in a different direction.

If you are using an application on a machine that will interact with a remote database, then you need some sort of authentication layer to protect your data. Otherwise, all anyone would need is an install of your app, a valid "password" that is in its encrypted state in their registry, and voila! They get access. This is a very weak protection.

Odds are, you are going to want to know who logged in, who made what changes, and who broke whatever they broke.

I would encourage you to instead make your app part of the authentication layer, which identifies itself to a web host, which in turn will have the password and everything else you need for your mysql database. This abstraction will make sure no one ever has their hands on your password (encrypted or not), and all they will ever have access to is a login prompt. Even if they reverse engineer your application, all they will learn is what method you use for authentication (be it an oAuth or domain, etc..).

Your app would hold a valid public key to access data on your web server, and with that no one could ever really harm your data or system without a valid user id and password (unless you get brute force hacked, or you give someone that password).

You may want to reconsider your direction if security is really that big of an issue. In truth, encryption alone may not be enough.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.