[mythtv-users] slow mythfilldatabase

Gary Buhrmaster gary.buhrmaster at gmail.com
Sat Jan 9 03:12:05 UTC 2021


On Sat, Jan 9, 2021 at 1:48 AM Bill Meek <keemllib at gmail.com> wrote:

> (OK, there is a security issue that the SQLite version fixes
> by encrypting the password.)

The SQLite version does not, actually, encrypt the password, it just
optionally stores (only) the hashed value (which is, unfortunately,
not salted (because Schedules Direct does not support salts), so
not only can it be used to access your Schedules Direct account as
is, but a rainbow table can be used to determine the original password
fairly easily(*)), but storing only a hashed password does make it at
least a little less obvious what the original password might be(**)
should one choose to not wish to enter the password each invocation
of the grabber, which would not store the password at all(***) in any
database, but would require a different type of invocation.

As always, best practice is that one should be sure to use a unique
password with Schedules Direct to minimize the impact of the
password being determined (i.e. be sure that your Schedules
Direct password is not a reused password from something like
your bank account, where it might actually matter).

Gary



(*) The only less bad news is that if one's password is sufficiently
long and complex the smaller rainbow tables typically available
online or for public download may not be sufficiently complete to
provide the plain-text for such a long/complex password.  But be
aware that more complete rainbow tables do exist (because of
course they do).

(**) It depends on your threat model whether storing only a
SHA1 hash is really better than storing a plaintext password,
but it should be no worse.

(***) In previous versions of MythTV, a password could be
stored in the database for use by the grabber.  For the classic
Schedules Direct "DataDirect" grabber (previous to the XMLTV
JSON based grabbers) that would have typically been the
plaintext password.


More information about the mythtv-users mailing list