Using hashing for password checking in auth module
Hi, I've started using Django recently and when I've used the auth module I noticed that it only verifies a plain text password. I'm not comfortable with this behaviour as it means that passwords have to be sent by login forms in plain text. In previous projects of mine I've used a solution that sent involved comparing a hash value of a given salt with the hash of the password (which is stored in the database). A salt is sent with the login form and upon submission, using javascript the salt is concated with a hahed password and then both of them are hashed again. The same thing happens in the server-side and only the result hashes are compared. This eliminates the need to send the password in plain-text in the login forms and adds extra security. Is it possible to such thing with the current auth module? if not how hard it will be to add such functionality to the current module/write a new authentication backend for it? Thanks, Guy Rutenberg --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Martin, On Jan 30, 11:43 pm, Martin Conte Mac Donell wrote: > > Actually in contrib.auth passwords are stored in SHA1. If you mean > that passwords are sent in plain text "over the network" then you > should use https. > I meant "over the network". While https is the ideal solution security wise for many small projects a getting a signed certificate costs too much and using a self-signed one scares users who encounter the browser's security alert. Sending hashed passwords, maybe even using something similar to hmac, allows one to verify the user has the correct passwords without actually passing it. Thanks, Guy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Matthias, On Jan 31, 12:37 am, Matthias Julius wrote: > > > But, it doesn't help you anything. Someone who could get a hold of a > plain text password sent over the internet could get a hashed password > just as easily. And the server has no way of telling whether the sent > password hash came from a browser showing your website or from > something else. To protect a password you need an encrypted > connection. > I don't intend to send the hashed password, I agree with you that doesn't help. The idea is to use some common reliable signature scheme, such as HMAC, to sign a a long nonce salt which is generated uniquely of each login form display. If someone snatch the signature, he must relay them to the server faster than the original packets in order to login (the nonce salt is earsed from the session the moment someone tries to authenticate against it). The intercepted signature is of little use to the snatcher, has the all idea of cryptographic signature algorithms is to make extracting the secret key (in this case it's the password) used to sign as hard as possible, which is impossible for anyone who isn't some top cryptoanalyser and has access to some huge computing power. On the other hand, if someone intercepts the clear-text password sent, he can login with it anytime they want, and moreover he will probably get access to other services the user has, as people usually re-use passwords for their accounts in different places. So the scheme is not to send the hashed password, but a cryptographic signature of a randomly generated (big) salt which a copy of is saved in the session. Someone without the password could not sign the request and if he intercepts the request he couldn't extract the password from it. This idea is also used in many production environments and is implemented in the OAuth protocol (HMAC-SHA1 version), where it is used to authenticate requests by using a consumer key (username) and consumer secret (password) without ever sending the password in plain- text. http://oauth.net/core/1.0/ Thanks, Guy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Kless, Correct me if I'm wrong but bcrypt can be used as a solution for storing the passwords in the database (instead of the default sha1) but it doesn't provide the solution I'm looking for: not sending plain- text passwords in login forms. Anyway bcrypt sounds interesting, especially its ability to adapt to processor improvments. Thanks, Guy On Jan 31, 11:41 am, Kless wrote: > I recommend you to use bcrypt, the password-hashing algorithm used in > OpenBSD. > > The advantages are that it creates and manages auto. the salt for each > password entered; And the most important is that it is adaptable to > future processor performance improvements. > > http://pypi.python.org/pypi/bcryptWrap --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Kless, On Jan 31, 7:05 pm, Kless wrote: > > Your method has a point of failure. Whatever can see your code JS > (client-code), so he will know what are you making with the password > that is sent from a form. > > The best options are https or using HMAC-SHA1/RIPEMD160 > I've indeed referenced HMAC in couple of the previous posts. As this methods should be (almost) irreversable, i don't care if someone will take a look at the JS and figure out what I'm doing (I'm not trying to obtain security by obfustication). As you said, HMAC-SHA1 (or any other strong hash with HMAC) is a good option. I just wonder if Django has builtin support for using this things or I've to write my own. Thanks, Guy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Why Syntax Errors in URLconf are Silent?
Hi, I've included a app specific URLconf in my main URLconf file. I had some syntax errors in the included URLconf file, however instead of throwing an exception about the syntax error, an exceptions was thrown when I've tried to use the "reverse()" function on the URLs of the included URLconf. It took me some time to find out what was the real problem, because the syntax errors where silent. Is there some reason Django silences the errors in URLconf files? I've used the development server and had DEBUG=True Thanks, Guy http://www.guyrutenberg.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Why Syntax Errors in URLconf are Silent?
Hi, On Feb 7, 8:43 am, Kenneth Gonsalves wrote: > what type of syntax error? I put an extra comma in my urls file and the app > promptly crashed. > I wrote "pattenrs" instead of "patterns" and the sure did crash. But instead of crashing and reporting a Syntax Error exception it reported a failure to do a reverse lookup, which I found to be confusing. Thanks, Guy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
