IETF Logo Mail Archive

Re: [OAUTH-WG] Hashing passwords for "password" grant type

Luke Shepard <lshepard@facebook.com> Tue, 07 September 2010 04:45 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1FF913A6974 for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 21:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.184
X-Spam-Level:
X-Spam-Status: No, score=-102.184 tagged_above=-999 required=5 tests=[AWL=0.216, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjvgsHlvJgcz for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 21:45:49 -0700 (PDT)
Received: from mx-out.facebook.com (outmail008.snc1.tfbnw.net [69.63.178.167]) by core3.amsl.com (Postfix) with ESMTP id 72AAE3A6954 for <oauth@ietf.org>; Mon, 6 Sep 2010 21:45:49 -0700 (PDT)
Received: from [10.18.255.179] ([10.18.255.179:57729] helo=mail.thefacebook.com) by mta009.snc1.facebook.com (envelope-from <lshepard@facebook.com>) (ecelerity 2.2.2.45 r(34067)) with ESMTP id 94/94-13770-993C58C4; Mon, 06 Sep 2010 21:46:18 -0700
Received: from SC-MBX05.TheFacebook.com ([169.254.4.81]) by sc-hub03.TheFacebook.com ([fe80::1cfe:1f6b:8b35:cf7f%11]) with mapi; Mon, 6 Sep 2010 21:46:17 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Aaron Parecki <aaron@parecki.com>
Thread-Topic: [OAUTH-WG] Hashing passwords for "password" grant type
Thread-Index: AQHLTjou1oDDFjqcdU6f0Vx/Fd4aDJMGaCEA
Date: Tue, 07 Sep 2010 04:46:22 +0000
Message-ID: <921F9B17-F12F-4ADA-9CC9-5E62DADD612B@facebook.com>
References: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
In-Reply-To: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_921F9B17F12F4ADA9CC95E62DADD612Bfacebookcom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 04:45:51 -0000

When a user logs into your website with a login form, do you POST their password in plaintext over HTTPS ? Most websites do, and the security of the "password" grant type is equivalent to that.

If you only allow POST requests to that endpoint, then it should generally keep the password out of most generic access logs.

On Sep 6, 2010, at 8:09 PM, Aaron Parecki wrote:

Hi folks,

I'm implementing OAuth 2 for my project (geoloqi.com<http://geoloqi.com/>) where I have some mobile phone clients needing to authenticate. I'm using the "password" grant type for these clients. Even though the call to the token endpoint is going over HTTPS, I'm still slightly concerned about sending the user's password to the server unencrypted. (I don't want the users' passwords to appear in my debug log file for instance.) Does the spec allow for or have a way to extend so that I can define a hashing algorithm the client can use to encrypt the password before sending it? I'm already not storing the passwords in plain text in the database anyway. Anybody else dealing with a similar issue?

Aaron


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email