Storing Database Password

Question

If I save the password to the database as a hash in the configuration file of the application or in the code for security reasons, how does the application connect to the database if it does not accept authentication using a hash? What is the process of authentication if the password is saved as a hash and not cleartext?

Thanks.

tried to search over the internet but didn't find any answer to that.

Answer 1

Password hashing

Password hashing is used by applications that directly authenticate users. They hash the input coming from the user, and compare it to the hashed version they have on file. That way, they can see if the user knows the password, without actually having to know the password themselves.

The advantage is that, if a hacker gets full access to the application, and all of its secrets, the user's passwords will not be among them. Instead, the hacker will get a list of hash values, which are more or less useless.

Database credentials

This is a different situation, because the database is doing the authentication, and you're just storing your credentials, unhashed, so you can give them to the database later on in the future.

It's risky to store your credentials in plaintext.

So the mysql database has an alternative: https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-connection-using-files.html

...and most other databases do, too.

If something like this is not an option, you should at minimum set the permissions on the configuration file to be extremely narrow, so that only you and the database can access your credentials.

Why couldn't you use a hash to authenticate with the database?

The hash isn't considered secure. A hacker might know a hash, without knowing the actual password. The database requires the full password to safeguard the sensitive data.

Likewise, if you're building your own application, you also require the user to provide the full, original password. At that point, you would then hash the password to check that the password is correct.