IETF Logo Mail Archive

Re: [OAUTH-WG] Hashing passwords for "password" grant type

Kris Selden <kris.selden@gmail.com> Tue, 07 September 2010 05:09 UTC

Return-Path: <kris.selden@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D95A3A6784 for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 22:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.202
X-Spam-Level:
X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aoB-9LBHpNaS for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 22:09:34 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by core3.amsl.com (Postfix) with ESMTP id E40E13A6782 for <oauth@ietf.org>; Mon, 6 Sep 2010 22:09:33 -0700 (PDT)
Received: by pzk6 with SMTP id 6so1995645pzk.31 for <oauth@ietf.org>; Mon, 06 Sep 2010 22:10:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:in-reply-to :mime-version:content-transfer-encoding:content-type:message-id:cc :x-mailer:from:subject:date:to; bh=rHnOH5AjDbcmcZjQpKLARCre4/h0sTtt7wRISjRTG+A=; b=UhKdeutyI7FwmPii5X7xHpfGkN4R4MNgdvswS2RBhUSNSJxve7NVd3impsFLed+oSc ICzCfS9XlcrBdBkMZNzcVn5wtPGxZsrFSMJhShrHCf/FUuCUSvPtgPOMAJWA9nVKuyI4 xqEsVNI2+IBJCs4jQLHpHyofibt2tyHrzapNM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; b=mNghC/8asvIShWayW+dxpNgxtUDAcGeFVomNZXjCHPdMF5DiB2wHkGid8s6xp8MfK0 8rHp0nX/lWW7dQ/zFm7WcfNKeGvBLxevqH3iBMln7uQxouHlSg2vEu7gt9YdX0/f2tr4 XZkx5XcEEP5Dt4qg1EclMw5shS0ihrJVZyFf0=
Received: by 10.114.109.8 with SMTP id h8mr4632455wac.78.1283836201902; Mon, 06 Sep 2010 22:10:01 -0700 (PDT)
Received: from [172.16.2.7] (c-71-197-233-96.hsd1.wa.comcast.net [71.197.233.96]) by mx.google.com with ESMTPS id x9sm12737636waj.3.2010.09.06.22.09.58 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 06 Sep 2010 22:10:00 -0700 (PDT)
References: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
In-Reply-To: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8A306)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-1-586301832"
Message-Id: <8D43F38F-D34E-4A97-885C-09384BCBD9F4@gmail.com>
X-Mailer: iPhone Mail (8A306)
From: Kris Selden <kris.selden@gmail.com>
Date: Mon, 06 Sep 2010 22:09:37 -0700
To: Aaron Parecki <aaron@parecki.com>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 05:09:35 -0000

If it is https you aren't sending the password unencrypted. You shouldn't be logging post params unfiltered. You should have a per user random salt you are hashing the password with, which would make it hard for you to hash it on the phone without making a separate call to lookup the salt for that user, which sounds worse than making sure it doesn't get logged.

Phones like the iPhone or Android cannot protect the client secret so using the password type means any client could mimic your trusted client and use the password grant type.

On Sep 6, 2010, at 8:09 PM, Aaron Parecki <aaron@parecki.com> wrote:

> Hi folks,
> 
> I'm implementing OAuth 2 for my project (geoloqi.com) where I have some mobile phone clients needing to authenticate. I'm using the "password" grant type for these clients. Even though the call to the token endpoint is going over HTTPS, I'm still slightly concerned about sending the user's password to the server unencrypted. (I don't want the users' passwords to appear in my debug log file for instance.) Does the spec allow for or have a way to extend so that I can define a hashing algorithm the client can use to encrypt the password before sending it? I'm already not storing the passwords in plain text in the database anyway. Anybody else dealing with a similar issue?
> 
> Aaron
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email