Re: [OAUTH-WG] Hashing passwords for "password" grant type
Aaron Parecki <aaron@parecki.com> Fri, 10 September 2010 17:06 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE2333A6843 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 10:06:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.535
X-Spam-Level:
X-Spam-Status: No, score=-1.535 tagged_above=-999 required=5 tests=[AWL=0.441, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tyHmcPSQh2Nw for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 10:06:45 -0700 (PDT)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com [209.85.215.44]) by core3.amsl.com (Postfix) with ESMTP id B28C13A692B for <oauth@ietf.org>; Fri, 10 Sep 2010 10:06:44 -0700 (PDT)
Received: by ewy26 with SMTP id 26so1394659ewy.31 for <oauth@ietf.org>; Fri, 10 Sep 2010 10:07:11 -0700 (PDT)
Received: by 10.213.113.143 with SMTP id a15mr46889ebq.15.1284138431262; Fri, 10 Sep 2010 10:07:11 -0700 (PDT)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com [209.85.215.44]) by mx.google.com with ESMTPS id v8sm4196409eeh.14.2010.09.10.10.07.09 (version=SSLv3 cipher=RC4-MD5); Fri, 10 Sep 2010 10:07:10 -0700 (PDT)
Received: by ewy26 with SMTP id 26so1394610ewy.31 for <oauth@ietf.org>; Fri, 10 Sep 2010 10:07:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.181.84 with SMTP id k62mr1143798wem.76.1284138428922; Fri, 10 Sep 2010 10:07:08 -0700 (PDT)
Received: by 10.216.244.203 with HTTP; Fri, 10 Sep 2010 10:07:08 -0700 (PDT)
In-Reply-To: <AANLkTikYTMBP1uLJ7g5ckWsoAg7n+aQ1awSq4kfvRJ+c@mail.gmail.com>
References: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com> <4C8A46D5.9070207@aist.go.jp> <AANLkTikYTMBP1uLJ7g5ckWsoAg7n+aQ1awSq4kfvRJ+c@mail.gmail.com>
Date: Fri, 10 Sep 2010 10:07:08 -0700
Message-ID: <AANLkTikuVV2av_VR6WLfF0NCTTLUxQ5uBTqAH+stp1iz@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001636427685e5feda048feac6c0"
Subject: Re: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 17:06:46 -0000
Thanks for all the recommendations, everyone. It looks like the best solution is to just filter out the password from the post data before logging it. In my system, only pre-approved clients can use the password grant type, similar to how Twitter approves access to their XAuth system on a per-client basis. The only clients that will have access to the password grant type are mobile phones, never from a web browser. The reason to support passwords at all is because, frankly, the user experience flow on a phone of opening a browser after launching the app is not that great. I am also providing access to the raw headers and post data sent and received from every client so developers can more easily debug their applications. Igor - I realize that OAuth is designed to avoid giving out your password to 3rd party clients, which is why I am limiting access to the password grant type to only "official" mobile clients. Web clients will use the traditional web auth flow. Brian - Thanks for the excellent link. Kris - Can you clarify why phones can't protect the client secret? This sounds like it would be a major issue for a lot of people. Thanks again, Aaron 2010/9/10 Brian Eaton <beaton@google.com> > Hey Aaron - > > Here's some more research and recommendations for you: > > http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html > . > > I agree with the other recommendations on this thread, probably not a > good idea for you to invent a hashing scheme for this. Especially not > if you're going to be accepting logins from browsers. > > Cheers, > Brian > > On Fri, Sep 10, 2010 at 7:55 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote: > > Hi Aaron, > > > > In usual security senses, just hashing or salting the on-wire passwords > will not > > improve security against credential stealing (both on-wire and local), > because > > stolen hashed password will allow accesses to the resources. > > > > # At least theoretically, we can say that it "weakens" the security, > because > > # stealing hashed passwords is theoretically "easier" than stealing raw > > # passwords (hint: the latter implies the former). > > > > If you are really concerning server-side leakage of on-wire credentials, > > one way is to request Digest- or APOP-style challenge-responses > > (but it may need one additional round-trip messages for getting a > challenge, > > depending on the setting.) > > > > # One setting on which hashing the password makes security sense is > > # to use hashed passwords for low-security low-privilege interfaces > > # (e.g. tweeting) and to require raw passwords for > > # high-security high-privilege interfaces (such as configuration > changes.) > > > > On 2010/09/07 12:09, Aaron Parecki wrote: > >> Hi folks, > >> > >> I'm implementing OAuth 2 for my project (geoloqi.com < > http://geoloqi.com>) where > >> I have some mobile phone clients needing to authenticate. I'm using the > >> "password" grant type for these clients. Even though the call to the > token > >> endpoint is going over HTTPS, I'm still slightly concerned about sending > the > >> user's password to the server unencrypted. (I don't want the users' > passwords to > >> appear in my debug log file for instance.) Does the spec allow for or > have a way > >> to extend so that I can define a hashing algorithm the client can use to > encrypt > >> the password before sending it? I'm already not storing the passwords in > plain > >> text in the database anyway. Anybody else dealing with a similar issue? > >> > >> Aaron > >> > >> > >> > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > -- > > 大岩 寛 Yutaka Oiwa 独立行政法人 産業技術総合研究所 > > 情報セキュリティ研究センター ソフトウェアセキュリティ研究チーム > > <y.oiwa@aist.go.jp>, < > yutaka@oiwa.jp> > > OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 > 46B5] > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Hashing passwords for "password" grant… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Luke Shepard
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden
- Re: [OAUTH-WG] Hashing passwords for "password" g… Igor Faynberg
- Re: [OAUTH-WG] Hashing passwords for "password" g… Yutaka OIWA
- Re: [OAUTH-WG] Hashing passwords for "password" g… Brian Eaton
- Re: [OAUTH-WG] Hashing passwords for "password" g… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden