0

My application needs to connect to several sources (MySQL and Oracle).

Admin users can add sources.

They will supply credentials for these sources.

I will store the credentials, I don't want to store a password as clear text, so I want to hash it.

I then need to use these credentials to connect and do a SELECT.

How can I connect to mySQL using the password, which is hashed in my db.

Amended when I realised how silly being able to connect with with a hashed password would be!

I think what I actually need to do is just encrypt my passwords in my db, then decrypt before I connect. Any advice on how I should do this?

Mick

Mick
  • 1,401
  • 4
  • 23
  • 40
  • 2
    You cannot. By design. Otherwise it would defeat a purpose of hashing passwords at the first place. – Alex Blex Oct 11 '16 at 10:46
  • If the deal is to secure your database information, you may want to find [this StackOverflow answer](http://stackoverflow.com/a/98021/3753055) useful. Plus, since you cannot go back and un-hash a password, this is impossible to retrieve the original raw password and provide it to your database connector. So you cannot do this this way. – Anwar Oct 11 '16 at 10:50
  • Do you mean you want to secure the Database password? So that from your source code the Database password cannot be theft? – Sarvap Praharanayuthan Oct 11 '16 at 10:57
  • No, these are new db connections, which users create. I need to store them in my db. – Mick Oct 11 '16 at 11:08
  • Because I don't want to store the passwords as plain text. Are you suggesting that this is OK? – Mick Oct 11 '16 at 11:10
  • Read my original post. Users need to be able to add new connections to new databases. – Mick Oct 11 '16 at 11:14
  • How will you connect to thees datasources? Through the Laravel app, or outside of Laravel? – henrik Oct 11 '16 at 11:16
  • Using Laravel but like this: Config::set("database.connections.mysql", [ "host" => "...", "database" => "...", "username" => "...", "password" => "... – Mick Oct 11 '16 at 11:17
  • Using config::set will only store the password in a global variable. You know this, right? – henrik Oct 11 '16 at 11:34
  • Yes but that will then allow me to collect won't it? Got a better way? – Mick Oct 11 '16 at 11:38

3 Answers3

1

Looks like XY problem here.

What you are really asking is a datasource authentication management. It can be done with 3rd-party authentication. Something like LDAP or Kerberos.

Please read for inspiration:

Or leave it as plain text to cut the cost of development and support.

Community
  • 1
  • 1
Alex Blex
  • 34,704
  • 7
  • 48
  • 75
  • 1
    Thanks. Looks like I have opened a can of worms here. I see your XY point, I just want a way to add and use these connections securely. (Without adding 3 months development work.) I am only prototyping at the moment so can do this a different way if I need to. – Mick Oct 11 '16 at 11:33
  • 1
    So leave it as plain text for now. If I am not mistaken, you have plain password to connect to the "admin" database hardcoded anyway. Later you can slightly improve security by encrypting passwords stored in the database with something like http://php.net/manual/en/function.mcrypt-encrypt.php. You will need to decrypt them runtime to connect to datasources. – Alex Blex Oct 11 '16 at 11:46
  • I was thinking I might so something like that now. I don't like the idea of leaving them as plain text. Thanks. – Mick Oct 11 '16 at 11:47
0

No, you cannot connect to the database using a Hashed password. There would be no point of hashing if that were the case. This goes on:

  1. You create a user with a password (which is a string of characters).
  2. The string is converted into another fixed-length (generally) string using a hashing algorithm.
  3. When you try to log into the system with your password, the hashing algorithm will again run your password and see if it returns the same hashed string as it did when you created your account.
  4. If it does, you log in.
  5. However, if you enter the hashed string, MySQL will treat it as the actual password and hash it further. It won't match. Hence, it won't work.
MontyPython
  • 2,906
  • 11
  • 37
  • 58
  • Yes, I get that but I think you need to read my question again. These are database connections, which my admins add and my application used to connect and SELECT. – Mick Oct 11 '16 at 11:40
  • 1
    It is very helpful when you ask right questions ;) Just make some research to ask it properly. – Alex Blex Oct 11 '16 at 11:49
  • 1
    I did some research (and still am) before I got stuck and asked the question. Alex your answer was the most helpful, since it contained links and advice. One liners with no advice at all are infuriating. – Mick Oct 11 '16 at 13:03
0

You cannot connect to a db with a hashed password, that's the whole point of hashing them. This means that if they are maliciously obtained, they cannot be used.

I just need to use mcrypt to encrypt them when I save them and then decrypt when I connect to the sources.

This is probably the best solution which doesn't require a PHD.

Not sure why someone couldn't have suggested this.

I am also considering writing small APIs for the database connections which will just pass the data back to my main application.

Mick
  • 1,401
  • 4
  • 23
  • 40