Home/ Questions/Q 8603665
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T02:22:39+00:00

Currently I’m working on software which connects to a MySQL database in order to

  • 0

Currently I’m working on software which connects to a MySQL database in order to retrieve and store data. The software itself is running as it should be, but I want to implement some new security features.

One of these security features is to store the password of the database user as a hash and not in plain text. For the record, I am NOT using a table to verify users, I’m talking about the database user to connect to the database itself.

I’m currently using a MySQL connection string which sends the password in plain text:

public abstract Database()
    {
        ReadConfig();
        connectionstring = "SERVER=" + server + ";" +
                "DATABASE=" + database + ";" +
                "UID=" + username + ";" +
                "PASSWORD=" + password + ";";
        try
        {
            connection = new MySqlConnection(connectionstring);
        }
        catch (MySqlException ex)
        {
            LogService.Log("ERROR - " + ex.ToString());
        }
    }

I also store this data on the user’s computer, so the user can change the server address, database, username and password. As I said, this is stored in plain text. Server addresses, database names and usernames stored as plain text are fine by me, but I don’t want to store the password in plain text.

Generating a SHA1 hash (or other hashing method) is not the problem, as I already have a method to generate these hashes.

In short, I would like to save the password as a hash, and use that hash in de connection string. How can I implement this?

EDIT:
I’m aware this is a ‘security through obscurity’ solution and it isn’t the best way to extend the security of my software. I’m looking into ways to find out how to use challenge-response methods, but in the mean time I would like to implement the above.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The best you can do here is to encrypt the user’s login info and use the plaintext when you want to do a login. MySQL won’t take the hashed value – if it did, this wouldn’t be any more secure than using the original (unhashed) value.

    A ‘shared secret’ challenge would be to use a proxy on your server to control the login. When a client wants to connect, the server proxy would send a long string of random bits. The client would append the (shared) ‘secret text’ to the end of this, use your SHA-1 hash on it and send it back to the server. The server would do the same with the text and compare the strings. This way it’s essentially a different password each time and sniffing it won’t matter.

    Once the client is authenticated the server proxy would enable communication with the mysql process. Using libmysql (or its c#) equivalent you can duplicate anything that would happen on a ‘regular’ mysql client.

    • 0