[JohnsonB]

Couldn't they at least encrypt it, and store the key on a separate file?

*edit: I just want to be clear, I don't actually think encryption would a sufficient replacement for a good hashing function, the question was just pointing out how bad this decision by Hover was; not only do they decide to make the password recoverable, but they don't even take whatever meager opportunities there are to make it at least somewhat secure.

[ori_b]

What good would that do? If an attacker gets in, they can get the key just as easily as they can get the database.

[HaloZero]

But if you encrypt it with a key, then SQL injection attacks can't collect passwords as easily. You need to hack in and get the actual key to decrypt.

[JohnsonB]

Not necessarily, if they hack into one system then getting into another isn't automatic. If the passwords are in a separate filesystem/database than the key, and linked only with software, then unless it's the software that's comprised it would still increase the difficulty of getting both the password and key significantly. It also prevents trivial browsing of passwords via sql commands by rouge employees.

[__david__]

With symmetric encryption, probably (assuming the data wasn't gleaned with a purely SQL injection attack). With public key/private key encryption you could probably do it more securely by not letting the private key anywhere near the main app/web servers.

Of course, the more separation you have between the public and private keys, the less convenient it is to actually do anything useful with the plaintext.

[jfong]

It just adds one more wall but a short wall at that.

[zyphlar]

Generally it's pretty easy to get root on a system. Then you're generally 100% owned. The only away this will survive is on the good graces of malicious hackers everywhere.

[drivebyacct2]

>Generally it's pretty easy to get root on a system.

Number one, I'd love a citation on that in general. Root privilege escalation vulnerabilities in the Linux kernel are fairly rare.

Number two, how does an SQL injection turn into any sort of shell access magically? Not without some other obvious security shortcomings.

[reitzensteinm]

I assume that's what they're talking about implementing in the last paragraph.