I think this are legitimate questions.
On Wed, Jun 5, 2013 at 1:01 PM, Adrian Mouat <[email protected]> wrote: > Hi, > > I was just wondering why you you are using AES_ENCRYPT for storing > "passwords" in Invenio. (I say "passwords" as I realise you are actually > storing the e-mail address encrypted with the password). > > I'm not an expert on security, but the issue with AES_ENCRYPT is that it > can be *decrypted*(1) whereas a one way hash (e.g. SHA) can't. Also, why > don't you store and encrypt a random number per user rather than use the > e-mail address? This would be *slightly* more secure(2) and avoid the > problem where users must reset their passwords. > > Just to be clear, I don't see a potential attack here. > > Apologies if you've answered this many times before. > > Regards, > > Adrian. > > 1) I realise all decryption would give you is the e-mail address. I > suppose if an attacker for some reason has the encrypted passwords but > nothing else, they can use a dictionary attack to get the e-mails and > log-in. > > 2) I say slightly as it requires the attacker to know the random numbers > rather than just the (possibly public) e-mail. But if they have access to > the DB, they probably have the random numbers. > > > -- > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > > -- ------------------------- Mureşan Bogdan Inginer de sistem Facultatea de Ştiinţe Politice, Administrative şi ale Comunicării - Cluj Napoca (004) 0788 94 11 65 (004) 0737 25 88 33 -------------------------
