Secure way to store MySQL/FTP passwords

t0msk · wrote on 2 Feb 2017, 21:37

Hello, I read that storing passwords in "hardcoded" source code is not recommended, because someone can refactor / disassemble program and get secret password.

So my question is how to store passwords in app? For example my app needs to communicate with MySQL server.

Thank you

SGaist · wrote on 2 Feb 2017, 21:41

Hi,

Before thinking of storing any database credentials: why does your application need to hard code such a password ?

t0msk · 2 Feb 2017, 22:53

Because my app connects to MySQL server and selects some data, then process that data and update DB with new data.

I dont say, that it has to be hardcoded, I am looking for secure way.

beecksche · 3 Feb 2017, 08:57

Hi,
maybe this is a help: https://wiki.qt.io/Simple_encryption_with_SimpleCrypt

SGaist · wrote on 3 Feb 2017, 08:10

Ok, classic use case. Then how many users are you planning to give access to to your database ?

t0msk · wrote on 3 Feb 2017, 08:57

@beecksche said in Secure way to store MySQL/FTP passwords:

Hi,
maybe this is a help: https://wiki.qt.io/Simple_encryption_with_SimpleCrypt

Yea, but I have to add plain password into code anyway.

@SGaist said in Secure way to store MySQL/FTP passwords:

Ok, classic use case. Then how many users are you planning to give access to to your database ?

A few, around 2-3.

veryqtperson · 3 Feb 2017, 18:53

To reduce the risk you can create a role at your MySQL server with limited access rights, like an ability to use particular database with SELECT queries only (or what is your use-case). And then if password for that role will "leak" - it's still bad, but not the end of the world.

But anyway, I don't see any more secured way rather then hardcoded password inside application binaries. You can use some obfuscation on top. And also instead of storing password in a single string, you can "construct" it with several functions from different strings combining with some calculations to make it harder to discover the initial string during disassembling.

t0msk · wrote on 3 Feb 2017, 18:53

@veryqtperson said in Secure way to store MySQL/FTP passwords:

To reduce the risk you can create a role at your MySQL server with limited access rights, like an ability to use particular database with SELECT queries only (or what is your use-case). And then if password for that role will "leak" - it's still bad, but not the end of the world.

But anyway, I don't see any more secured way rather then hardcoded password inside application binaries. You can use some obfuscation on top. And also instead of storing password in a single string, you can "construct" it with several functions from different strings combining with some calculations to make it harder to discover the initial string during disassembling.

yes it is option too :)

@SGaist said in Secure way to store MySQL/FTP passwords:

Ok, classic use case. Then how many users are you planning to give access to to your database ?

Do you know something better? I was thinking about API calls, but it is hard to secure (I think).

SGaist · wrote on 3 Feb 2017, 21:07

If you are thinking about a REST API, it's currently the trend to shield databases from the rest of the world. It's not that hard to secure. You can implement authentication pretty easily with e.g. Django.

After that, the same constraint applies to your code: you don't want passwords in it. So you can have your user create an account on the service to get their credentials.

t0msk · 2 May 2017, 11:21

ok for now I will create MySQL user with limited rights and I will encrypt password using AES-256 and I will save encrypted password into plain text file in Qt resource file, I think this can be quite enough against disassembling (it is not going to be app for download, it is only for some people)

Is possible after compilation open that Qt resource file and see what is inside? Or is it a binary? If it is a binary, its ok, I think :)

kshegunov · T t0msk 5 Feb 2017, 11:18

Obfuscation isn't security!
What you should do is what @SGaist wrote - have user credentials that are stored in a secure service somewhere, then ask the service for the database credentials based on the user credentials (over SSL obviously).

I will encrypt password using AES-256 and I will save encrypted password into plain text file in Qt resource file, I think this can be quite enough against disassembling (it is not going to be app for download, it is only for some people

This is no different than storing a plain text password. Any debugger can be used as a disassembler and anyone can look up the strings that are stored in the binary, it's really a trivial thing to do.

Or is it a binary? If it is a binary, its ok, I think

Well it's a binary, but that doesn't change a thing. I could retrieve the password in a few minutes from your binary, so again ... obfuscation isn't security!

t0msk · 5 Feb 2017, 12:43

And what is secure service? API?

kshegunov · 2 May 2017, 12:46

Yes an API of some sort that's running over a secure connection (as mentioned). Also the service itself needs to take care to secure its data, but that's the service's problem to begin with, not your app's.

t0msk · wrote on 5 Feb 2017, 13:10

ok thank you :)