In the military it's called "Defense in Depth". The theory is that you harden every layer you can rather than hardening just one layer and hoping it's enough.
I've heard databases like yours called "hard on the outside, soft and chewy on the inside". There are a million ways a dedicated hacker can get access to your database. Social engineering, a disgruntled employee, an ex-employee who decides to see if his login still works, or that backdoor he wrote is still there, one missed OS patch... the list goes on.
If a bad actor gets access through any of these methods, instead of just getting the data, he gets access to every username/password combination of every user of your system, and as someone pointed out, people often use the same combo for every website. So your hacker goes out and owns hundreds of people's Paypal, email, and bank accounts.
Tell him to consider that in many companies, security problems come from inside rather than out.
Now ask him how he's going to explain to his customers how hackers have stolen their passwords (which no doubt they used elsewhere) next time he has to fire someone for some reason.
Also ask him how much he thinks his customers would like to know that their passwords are visible to anyone with read access to the database.
Someone might break into your site. It may be unlikely, and this probably won't sway your boss (I can hear the conversation now: "Are you saying that the site isn't secure?") But it happens, and remember, no one ever thinks that their site will honestly be broken in to...
Casual viewing of the database by insiders (like yourself): You might not be TRYING to look at anyone's passwords, but you might, during the normal course of your work, need to look through the table containing the passwords. Considering that many people use the same password for absolutely everything (including possibly your boss!) you wouldn't want all of those passwords exposed. Ask your boss if he has ever reused a password on two different sites
If anyone ever found out that your application didn't encrypt the passwords, they might seriously question the trust of your application
It costs basically nothing to hash a password (preferably with a salt) into the database, so why not?
You may wish to point out that failure to properly secure the accounts could be exposing the company to legal liability if the information were ever compromised. Ignoring a known vulnerability could wind up costing you in legal fees if a user's data was exposed as a result of your company's actions (or inaction, as the case may be).
In the United States, there are certain types of data, such as financial and medical information, that companies are legally bound to keep secure and private. Failure to do so can have serious consequences. I'm not familiar with other countries' laws in this regard, but it's something worth looking into if your company is dealing with such data.
Besides the security risks, I wonder what your clients would say if they found out every employee of your company has access to passwords. When it comes to possible leaks, the passwords are at risk if:
the database is backed up by an external company
the operating system that the db software is running on has any security risks
security flaws in any other hardware or software firewall
any users that have access to the db somehow get a virus that could exploit the data
the db happens to be on a computer or laptop that is stolen
a disgruntled employee is fired and decides to "get back"
every once in a while you'll hear of businesses that store sensitive information in plain text and it never ends well. we're all human and prone to error, you can't assume perfection when it comes to security. you won't find any large, profitable company leave room for any risk that can be avoided since anything bad that can happen, will happen...
Plaintext passwords are not permitted if your organization maintains PCI-DSS compliance (e.g. a merchant who accepts credit cards). See PCI DSS item 8.4.
Plaintext passwords are not permitted if your organization is a financial institution that is insured by the FDIC (see FDIC FIL 69 2001).
Passwords should be encrypted both in transit and at rest, if you wish to achieve ISO/IEC 27001 certification, e.g. if you work with certain government agencies.
The two good answers I have seen promulgated for this question are:
You protect the passwords from snooping employees, i.e. people that have legitimate access to the database cannot easily steal a password should they feel so inclined,
A application logic flaw, such as an SQL injection one on a web site front end, will have a reduced chance of resulting in a compromise.
In my opinion it's a good idea to encrypt database password (although I'm yet to get around to doing it for most of my apps) but of far more importance is to make sure your database server is as bullet proof as possible with respect to network and authorised access. If an attacker can get to your database then it won't matter what how you've stored your passwords they will be able to break them.
发布评论
评论(9)
在军事上,这被称为“纵深防御”。 其理论是,您可以强化每一层,而不是只强化一层并希望它足够。
我听说像你这样的数据库被称为“外表坚硬,内部柔软耐嚼”。 专门的黑客可以通过一百万种方式访问您的数据库。 社会工程、心怀不满的员工、决定查看自己的登录是否仍然有效的前员工、或者他编写的后门是否仍然存在、错过了一个操作系统补丁……这样的例子不胜枚举。
如果坏人通过这些方法中的任何一种获得访问权限,他不仅可以获取数据,还可以访问系统中每个用户的每个用户名/密码组合,正如有人指出的那样,人们经常对每个网站使用相同的组合。 因此,您的黑客出去并拥有数百人的 Paypal、电子邮件和银行帐户。
我已经描绘出足够可怕的画面了吗?
In the military it's called "Defense in Depth". The theory is that you harden every layer you can rather than hardening just one layer and hoping it's enough.
I've heard databases like yours called "hard on the outside, soft and chewy on the inside". There are a million ways a dedicated hacker can get access to your database. Social engineering, a disgruntled employee, an ex-employee who decides to see if his login still works, or that backdoor he wrote is still there, one missed OS patch... the list goes on.
If a bad actor gets access through any of these methods, instead of just getting the data, he gets access to every username/password combination of every user of your system, and as someone pointed out, people often use the same combo for every website. So your hacker goes out and owns hundreds of people's Paypal, email, and bank accounts.
Have I painted a gruesome enough picture yet?
让他考虑一下,在许多公司中,安全问题来自内部而不是外部。
现在问他,下次他因某种原因必须解雇某人时,他将如何向客户解释黑客如何窃取他们的密码(毫无疑问他们在其他地方使用过)。
还要问他,他认为他的客户有多想知道他们的密码对任何具有数据库读取权限的人都是可见的。
Tell him to consider that in many companies, security problems come from inside rather than out.
Now ask him how he's going to explain to his customers how hackers have stolen their passwords (which no doubt they used elsewhere) next time he has to fire someone for some reason.
Also ask him how much he thinks his customers would like to know that their passwords are visible to anyone with read access to the database.
以下是一些原因:
Here are a few reasons:
您可能希望指出,如果信息泄露,未能正确保护帐户可能会让公司承担法律责任。 如果您公司的行为(或不作为,视情况而定)导致用户数据暴露,那么忽略已知漏洞可能会让您承担法律费用。
在美国,公司有法律义务保护某些类型的数据(例如财务和医疗信息)的安全和隐私。 否则可能会造成严重后果。 我不熟悉其他国家在这方面的法律,但如果您的公司正在处理此类数据,则值得研究一下。
You may wish to point out that failure to properly secure the accounts could be exposing the company to legal liability if the information were ever compromised. Ignoring a known vulnerability could wind up costing you in legal fees if a user's data was exposed as a result of your company's actions (or inaction, as the case may be).
In the United States, there are certain types of data, such as financial and medical information, that companies are legally bound to keep secure and private. Failure to do so can have serious consequences. I'm not familiar with other countries' laws in this regard, but it's something worth looking into if your company is dealing with such data.
除了安全风险之外,我想知道如果您的客户发现您公司的每个员工都可以访问密码,他们会怎么说。 当涉及到可能的泄露时,密码存在风险,如果:
每隔一段时间您就会听到这样的企业以纯文本形式存储敏感信息,结果永远不会好。 我们都是人,容易犯错误,在安全方面你不能假设完美。 你不会发现任何大型的、盈利的公司为任何可以避免的风险留下空间,因为任何可能发生的坏事都会发生......
Besides the security risks, I wonder what your clients would say if they found out every employee of your company has access to passwords. When it comes to possible leaks, the passwords are at risk if:
every once in a while you'll hear of businesses that store sensitive information in plain text and it never ends well. we're all human and prone to error, you can't assume perfection when it comes to security. you won't find any large, profitable company leave room for any risk that can be avoided since anything bad that can happen, will happen...
如果“向破解者提供一份银盘上的密码列表”还不是一个足够好的理由,那么什么才是足够好的理由呢?
If 'handing your crackers a list of passwords on a silver platter' is not a good enough reason, what constitutes a good enough reason?
纯文本密码的数据库被盗的案例太多了:如果 这可能发生在 reddit 上,也可能发生在你身上。
There are just too many cases of databases with plain text passwords being stolen: If it can happen to reddit, it can happen to you.
如果您的组织遵守 PCI-DSS 合规性(例如接受信用卡的商家),则不允许使用明文密码。 请参阅 PCI DSS 第 8.4 条。
如果您的组织是由 FDIC 承保的金融机构,则不允许使用明文密码(请参阅 FDIC FIL 69 2001)。
如果您希望获得 ISO/IEC 27001 认证(例如,如果您与某些政府机构合作),则应在传输过程中和静态时对密码进行加密。
Plaintext passwords are not permitted if your organization maintains PCI-DSS compliance (e.g. a merchant who accepts credit cards). See PCI DSS item 8.4.
Plaintext passwords are not permitted if your organization is a financial institution that is insured by the FDIC (see FDIC FIL 69 2001).
Passwords should be encrypted both in transit and at rest, if you wish to achieve ISO/IEC 27001 certification, e.g. if you work with certain government agencies.
对于这个问题,我看到的两个好的答案是:
您保护密码免遭窥探员工的侵害,即拥有数据库合法访问权限的人如果愿意的话,就无法轻易窃取密码,
应用程序逻辑缺陷(例如网站前端上的 SQL 注入)将导致减少导致妥协的机会。
在我看来,加密数据库密码是一个好主意(尽管我还没有时间为我的大多数应用程序执行此操作),但更重要的是确保您的数据库服务器在以下方面尽可能防弹:网络和授权访问。 如果攻击者可以访问您的数据库,那么无论您如何存储密码,他们都可以破解它们。
The two good answers I have seen promulgated for this question are:
You protect the passwords from snooping employees, i.e. people that have legitimate access to the database cannot easily steal a password should they feel so inclined,
A application logic flaw, such as an SQL injection one on a web site front end, will have a reduced chance of resulting in a compromise.
In my opinion it's a good idea to encrypt database password (although I'm yet to get around to doing it for most of my apps) but of far more importance is to make sure your database server is as bullet proof as possible with respect to network and authorised access. If an attacker can get to your database then it won't matter what how you've stored your passwords they will be able to break them.