Storing database password in plain text?

Question

In the context of a web application, I will be providing the user the ability to provide a username and password for their MySQL database.

Right now, the username and password is generated randomly. These credentials (username, password) are show in plain text on the web application's Settings page. This seems perfectly acceptable for me, because, they are currently randomly generated.

However, as I'm now going to be allowing user provided passwords, I'm concerned that it might not be a good idea to show them in plain text.

Is there an industry standard that could relate to something I'm doing with user provided database passwords?

Should I not show the password in plain text, but only show a form to change the password only?

Answer 1

Yeah definitely never a good idea, in general, to show or store passwords in the open. That said, there are such things as compensating controls. I.E. physical securities to safeguard viewing of passwords, encryption channels for transporting passwords, as well as bolstered security around your database. I don't know if there are any compensating controls for your particular situation because everyone mostly looks at passwords in clear text as a no-no, but you can take a look at the NIST standards.

Answer 2

“I will be providing the user the ability to provide a username and password for their MySQL database.”

It’s unclear what your trying to achieve. You’ll provide them with a username and password to access the MySQL database (for maintenance?) or you’ll provide them with a username and password to authenticate as users against the MySQL DB? If the second:

• “Right now, the username and password is generated randomly.” On first registration ? How is the username and password delivered ? What if they forget not only their password but also username? How do you link someone’s identity to a given user ID? Corporate e-mail address ? if yes, then what’s the rationale behind using a random generated username (or will they be able to change it after registration ?) The only thing this may add is additional privacy over using, say, an email address. But chances are there's enough information contained in your account to identify you anyway.

• “and password is generated randomly” means what exactly ? Remember, it's not always feasible to remember complex passwords - If you force people to do so anyway you will end up with sticky notes or papers attached to a screen.

• “These credentials (username, password) are show in plain text on the web application's Settings page.” Honestly I don’t see any way why this would make any sense storing the password in any form in the web application’s Settings page. If they forget it, they won’t see it. If they remember it, they most likely won’t double check on it. Oh, and think about shoulder surfing. Is it a complex one ? Fair enough, but again you will end up with sticky notes or papers attached to a screen.

But again, I’m uncertain what you question is.

Answer 3

Problematic topic :-) Could you please check following references, they may help you.

For baseline

NIST - Identity Management https://pages.nist.gov/800-63-3/sp800-63b.html

For baseline - II

Australian Government - Authentication Credential Requirements https://dta-www-drupal-20180130215411153400000001.s3.ap-southeast-2.amazonaws.com/s3fs-public/files/digital-identity/Trusted%20digital%20identity%20framework%202/Authentication%20Credential%20Requirements.pdf

RETIRED, Identity Management publication replaced this publication

NIST - Enterprise password management https://csrc.nist.gov/csrc/media/publications/sp/800-118/archive/2009-04-21/documents/draft-sp800-118.pdf

When you decide to encrypt that password

NIST - Security Requirements For Cryptographic Modules https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

As last words, there is many infosec standard. This standards are used by who will use your tool so you need to be compatible with them also. Example: ISO 27001/27002, PCI, HIPAA, etc.