IETF Logo Mail Archive

Re: [OAUTH-WG] Hashing passwords for "password" grant type

Brian Eaton <beaton@google.com> Fri, 10 September 2010 15:49 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 325343A6868 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 08:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.241
X-Spam-Level:
X-Spam-Status: No, score=-104.241 tagged_above=-999 required=5 tests=[AWL=1.736, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G34PlmcT36P5 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 08:49:06 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 210B33A6875 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:02 -0700 (PDT)
Received: from hpaq1.eem.corp.google.com (hpaq1.eem.corp.google.com [172.25.149.1]) by smtp-out.google.com with ESMTP id o8AFnT1r015637 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:29 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1284133769; bh=6PMVDI/REGBCuBu02JUwO/I04gk=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=ySK/mb7Qc7IOKAibhL2iMeAkw97ehKgzh4pbPTuexbRETv+YYhXUcwWeqDgBmbR5d VLUshBBu87S0i7b1YAQFQ==
Received: from pwj9 (pwj9.prod.google.com [10.241.219.73]) by hpaq1.eem.corp.google.com with ESMTP id o8AFnRaN021106 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:27 -0700
Received: by pwj9 with SMTP id 9so1527338pwj.15 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yo6YUXNJgIRUP3Xgksgm229rT8ZiLp4TchOpk58uXtM=; b=CtImJQllhMIuh8zHurL9lE7wm+1aPSAqY4smsgy+g9Prty4qCWBd1PX14dDeRNK3GE bxrEYTKcNVyx2VITAKlQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=A/cPzcrYTK7qNzaPdz2QV0DLrUOoG3g6U0TnwGnA40M+14FaVa5i+jdfIKUfOYNTn8 KGq5k5CZ/wv1sio1LgNg==
MIME-Version: 1.0
Received: by 10.142.151.16 with SMTP id y16mr983165wfd.93.1284133765024; Fri, 10 Sep 2010 08:49:25 -0700 (PDT)
Received: by 10.142.211.7 with HTTP; Fri, 10 Sep 2010 08:49:24 -0700 (PDT)
In-Reply-To: <4C8A46D5.9070207@aist.go.jp>
References: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com> <4C8A46D5.9070207@aist.go.jp>
Date: Fri, 10 Sep 2010 08:49:24 -0700
Message-ID: <AANLkTikYTMBP1uLJ7g5ckWsoAg7n+aQ1awSq4kfvRJ+c@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 15:49:08 -0000

Hey Aaron -

Here's some more research and recommendations for you:
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html.

I agree with the other recommendations on this thread, probably not a
good idea for you to invent a hashing scheme for this.  Especially not
if you're going to be accepting logins from browsers.

Cheers,
Brian

On Fri, Sep 10, 2010 at 7:55 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote:
> Hi Aaron,
>
> In usual security senses, just hashing or salting the on-wire passwords will not
> improve security against credential stealing (both on-wire and local), because
> stolen hashed password will allow accesses to the resources.
>
> # At least theoretically, we can say that it "weakens" the security, because
> # stealing hashed passwords is theoretically "easier" than stealing raw
> # passwords (hint: the latter implies the former).
>
> If you are really concerning server-side leakage of on-wire credentials,
> one way is to request Digest- or APOP-style challenge-responses
> (but it may need one additional round-trip messages for getting a challenge,
>  depending on the setting.)
>
> # One setting on which hashing the password makes security sense is
> # to use hashed passwords for low-security low-privilege interfaces
> # (e.g. tweeting) and to require raw passwords for
> # high-security high-privilege interfaces (such as configuration changes.)
>
> On 2010/09/07 12:09, Aaron Parecki wrote:
>> Hi folks,
>>
>> I'm implementing OAuth 2 for my project (geoloqi.com <http://geoloqi.com>) where
>> I have some mobile phone clients needing to authenticate. I'm using the
>> "password" grant type for these clients. Even though the call to the token
>> endpoint is going over HTTPS, I'm still slightly concerned about sending the
>> user's password to the server unencrypted. (I don't want the users' passwords to
>> appear in my debug log file for instance.) Does the spec allow for or have a way
>> to extend so that I can define a hashing algorithm the client can use to encrypt
>> the password before sending it? I'm already not storing the passwords in plain
>> text in the database anyway. Anybody else dealing with a similar issue?
>>
>> Aaron
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> --
> 大岩 寛   Yutaka Oiwa                       独立行政法人 産業技術総合研究所
>            情報セキュリティ研究センター ソフトウェアセキュリティ研究チーム
>                                      <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email