Skip to main content
Information Security

All Questions

Ask Question
Tagged with
16 questions
NewestActiveBountiedUnanswered
1vote
2answers
4kviews

AWS RDS Database access from Github Actions

I have a Postgres database hosted in AWS RDS. The rest of my application is also hosted on AWS. The database migrations, like adding a new column, are done by Prisma, a node package. The pipeline is ...
Jöcker's user avatar
Jöcker
  • 111
25votes
6answers
9kviews

Is a sha256 hash of a unix timestamp a strong password

I am setting up a postgres db that will never be used by humans. In fact, I really don't need to know it myself ever. I assumed that just using a 256bit(64 alphanumeric chars) hash of a unix timestamp ...
ThisGuyCantEven's user avatar
ThisGuyCantEven
  • 497
0votes
0answers
93views

Is there much practical security value in using passwords/usernames for postgres instances used on development machines?

So say you are developing multiple different projects for different clients and want your developers to use postgres on their development machine (i.e. localhost connection in the development ...
Jack Kinsella's user avatar
Jack Kinsella
  • 101
3votes
1answer
705views

Does "row-level security" actually serve a security purpose?

Row-level security is often an industry requirement in secure environments, such as those dealing with payment cards. It's supported by most major relational databases, including PostgreSQL, Microsoft ...
watchowl's user avatar
watchowl
  • 5,468
2votes
0answers
146views

When using parameterized SQL queries, is there still any *security* issue with simply blindly accepting user input variables?

Suppose I have this: parameterized_database_call('SELECT * FROM widgets WHERE id = $1', $_GET['widget_id']); The SQL query is parameterized, as I've done for many years now. (I'm trying to repress ...
N. C.'s user avatar
N. C.
  • 21
4votes
2answers
1kviews

Separate Auth DB for Increased Security

I'm a dev working on an app that has a monolith DB (PostgreSQL). We are using a third party provider for AUTH and MFA, but want to move MFA back into our control. The plan was to move the encrypted ...
seansean11's user avatar
seansean11
  • 143
1vote
1answer
251views

What kinds of attacks are possible with credentials to a read-only Postgres user?

Assuming I implement the literal SQL-injection on an HTTP endpoint with a read-only user that limits execution time to e.g. some amount of seconds. What's the worst that could happen? I know simple ...
ubershmekel's user avatar
ubershmekel
  • 153
2votes
3answers
2kviews

How strong should a database password be?

Seems like a trivial question, but I couldn't find other questions that address the following. So I'm simply asking, how strong would my (super user) database credentials ideally be? I simply figured ...
FLUSHER's user avatar
FLUSHER
  • 393
1vote
1answer
763views

Public guest user for PostgreSQL?

I manage an open-source software project that relies on data that I am happy to share with the public. The software is hosted on github.com, but the dataset is too large to host there. It is easiest ...
Matthias Fripp's user avatar
Matthias Fripp
  • 113
2votes
1answer
696views

Is sharing databases's hostname considered to be a security hole?

We have a Postgres database running on a Heroku and want to setup an external connection to it from the DB management GUI application (e.g. pgAdmin) Being novice to security things I wonder if it is ...
amost's user avatar
amost
  • 23
3votes
1answer
365views

Ciphertext vs database level encryption

For data that must be encrypted (read again, not hashed like a password) does storing ciphertext in a database gain you much over using the database's built-in encryption? In this case it would be ...
kreek's user avatar
kreek
  • 133
1vote
3answers
8kviews

Metasploit Search Multiple Keywords

I am having an issue with Metasploit's search commands. When trying to search multiple keywords, the output displays only the first keyword. For example, if I use the command search platform:windows ...
Gavin Youker's user avatar
Gavin Youker
  • 1,310
4votes
1answer
365views

Restoring database from a hacked system

A linux VM with postgres 9.4 was hacked into. (Two processes taking 100% cpu, weird files in /tmp, did not reoccur after kill(s) and restart.) It was decided to install the system from scratch on a ...
user1713059's user avatar
user1713059
  • 155
2votes
0answers
2kviews

Connecting to postgres with SSL

I need help understanding some basics about the postgres database server and SSL. I am developing a Windows desktop application that will connect to a postgres database, in single user mode, with both ...
harpagornis's user avatar
harpagornis
  • 21
27votes
4answers
11kviews

Is Postgres password-based authentication secure?

According to Postgres's documentation, Postgres's password authentication method uses MD5 hashing to secure the password: The password-based authentication methods are md5 and password. These ...
Ajedi32's user avatar
Ajedi32
  • 4,843

153050per page
1
2
close