Comments on: Salting Passwords in DB or Across the Wire?

By: Kamasa

Kamasa — Wed, 02 Jun 2010 19:46:10 +0000

At least you have to use a salt for generating the hash. Otherwise the hash value is as “valuable” as the plain password when intercepted – at least on your site.

By: Otto

Otto — Tue, 23 Mar 2010 17:51:42 +0000

I’m not sure what you’re wanting is possible. There needs to be a shared secret of some kind in order for authentication to work at all.

Basically, the client must send something that is what you store in the database, or which can be transformed into same through an algorithm.

Now, since the function of that algorithm depends solely on inputs from the client and stored values already on the server, there’s no way to secure it if they know the values on the server or what the expected response is. All you can do is to make it difficult (take longer to brute force). You can’t actually make it impossible.

By: Joe Hildebrand

Joe Hildebrand — Mon, 22 Mar 2010 08:06:11 +0000

It looks like you’re trying to build DIGEST-MD5:

http://tools.ietf.org/html/rfc2831

however, that’s being replace with SCRAM:

http://tools.ietf.or[...]asl-scram-11

using one of these schemes that have been fully-vetted by the security community is a much better approach, even if you have to pull it up into your application rather doing inside the protocol like SASL imagines.

By: Robert Accettura

Robert Accettura — Sat, 20 Mar 2010 19:46:45 +0000

I doubt it. If they are running it without https right now anyway, they obviously don’t care. Changing a config is hardly a barrier to adoption (is it really zero config right now?)

By: Alex

Alex — Sat, 20 Mar 2010 02:11:21 +0000

I think that would result in a lot of requests for refunds from my customers…

By: Robert Accettura

Robert Accettura — Sat, 20 Mar 2010 01:55:53 +0000

Perhaps the best approach then is to check the protocol and require SSL for the app to run, unless the installer explicitly disables that check in the config file, in which case they assume the risk.

Setting up a self-signed SSL cert, or buying and installing one (basic validation is only a few dollars now) isn’t a huge deal. Most just skip the step to speed and because it just works.

Put a barrier there and people will second guess disabling a security feature.

IMHO all apps should require SSL for login. I have an SSL cert for my blog for the purpose of securing the contact form, and for login (most important).

By: Alex

Alex — Fri, 19 Mar 2010 21:23:24 +0000

That’s interesting, I hadn’t heard it looked at that way. Wikipedia says:

For best security, the salt value is kept secret, separate from the password database. This provides an advantage when a database is stolen, but the salt is not. To determine a password from a stolen hash, an attacker cannot simply try common passwords (such as English language words or names). Rather, they must calculate the hashes of random characters (at least for the portion of the input they know is the salt), which is much slower.

In some protocols, the salt is transmitted as cleartext with the encrypted data, sometimes along with the number of iterations used in generating the key (for key strengthening).

I think that a hash of a hashed string plus salt can make it harder to reverse, but once the algorithm is figured out it’s just layers.

By: Dave Bacher

Dave Bacher — Fri, 19 Mar 2010 19:04:48 +0000

I think I’m missing something here. I thought salt was public information designed to increase the size of the required rainbow tables. The salting function is just the hashing function and it is designed to be one-way. So a) it doesn’t matter if the salt is exposed publicly, and b) if you have a good hashing function, it’s hard to reverse engineer the salting even if you know
the function.

Am I misinformed?

By: Alex

Alex — Fri, 19 Mar 2010 18:32:34 +0000

Agreed. SSL is a great tool in this mix, however my experience has been that few of my customers actually install and configure SSL when they install a web app. I want to do what I can to help in those cases as well.

By: Robert Accettura

Robert Accettura — Fri, 19 Mar 2010 18:19:04 +0000

IMHO wire attacks are much more worthwhile to protect against.

The problem with database only, is that it seems rare only the DB is compromised. Normally it’s the last to be attacked, the web app being in front of the DB. The DB should be the most restricted (only the webapp needs to even communicate with it).

That said, you can pretty much solve wire attacks by using SSL which also verifies identity and helps against MITM attacks. IMHO more worthwhile than a JS solution. Overhead is reduced if you have SSL hardware on your server.

By: Alex

Alex — Fri, 19 Mar 2010 18:09:42 +0000

True, I should have clarified this as a “database only” vulnerability. If an attacker gains access to both code and database, then salted passwords are subject to the same rainbow table lookups (albeit with an additional step in the process).

That’s another good reason to optimize against a wire attack vs. a database only attack.

By: Joe Hall

Joe Hall — Fri, 19 Mar 2010 18:06:19 +0000

I agree that its more likely that attacker with hit over the wire versus the DB. But, If an attacker gets access to a DB they in theory probably have access to your salt formula and as a result could reverse engineer an attack with rainbow tables.