Using hashing for password checking in auth module
Hi, I've started using Django recently and when I've used the auth module I noticed that it only verifies a plain text password. I'm not comfortable with this behaviour as it means that passwords have to be sent by login forms in plain text. In previous projects of mine I've used a solution that sent involved comparing a hash value of a given salt with the hash of the password (which is stored in the database). A salt is sent with the login form and upon submission, using javascript the salt is concated with a hahed password and then both of them are hashed again. The same thing happens in the server-side and only the result hashes are compared. This eliminates the need to send the password in plain-text in the login forms and adds extra security. Is it possible to such thing with the current auth module? if not how hard it will be to add such functionality to the current module/write a new authentication backend for it? Thanks, Guy Rutenberg --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
On Fri, Jan 30, 2009 at 5:36 PM, Guy Rutenberg wrote: > I've started using Django recently and when I've used the auth module > I noticed that it only verifies a plain text password. I'm not > comfortable with this behaviour as it means that passwords have to be > sent by login forms in plain text. > Actually in contrib.auth passwords are stored in SHA1. If you mean that passwords are sent in plain text "over the network" then you should use https. >>> from django.contrib.auth.models import User >>> User.objects.get(pk=1).password u'sha1$a0052$51520b2de8cf5aab6d8fc5bf5e7d09801376031a' Maybe you are confused because User has a method "check_password" that receives a parameter in plain text, but before the check your password is hashed. M. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Martin, On Jan 30, 11:43 pm, Martin Conte Mac Donell wrote: > > Actually in contrib.auth passwords are stored in SHA1. If you mean > that passwords are sent in plain text "over the network" then you > should use https. > I meant "over the network". While https is the ideal solution security wise for many small projects a getting a signed certificate costs too much and using a self-signed one scares users who encounter the browser's security alert. Sending hashed passwords, maybe even using something similar to hmac, allows one to verify the user has the correct passwords without actually passing it. Thanks, Guy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Guy Rutenberg writes: > Hi Martin, > > On Jan 30, 11:43 pm, Martin Conte Mac Donell > wrote: >> >> Actually in contrib.auth passwords are stored in SHA1. If you mean >> that passwords are sent in plain text "over the network" then you >> should use https. >> > > I meant "over the network". While https is the ideal solution security > wise for many small projects a getting a signed certificate costs too > much and using a self-signed one scares users who encounter the > browser's security alert. > > Sending hashed passwords, maybe even using something similar to hmac, > allows one to verify the user has the correct passwords without > actually passing it. But, it doesn't help you anything. Someone who could get a hold of a plain text password sent over the internet could get a hashed password just as easily. And the server has no way of telling whether the sent password hash came from a browser showing your website or from something else. To protect a password you need an encrypted connection. Password hashing is done to protect passwords from a compromised password database. If someone gets the stored password hashes he can still not log on to your application because the hashing algorithm is irreversible. He can only try a brute force attack if he knows the hashing algorithm. And this is why it is recommended that one uses longer passwords that don't appear in a dictionary. Matthias --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Matthias, On Jan 31, 12:37 am, Matthias Julius wrote: > > > But, it doesn't help you anything. Someone who could get a hold of a > plain text password sent over the internet could get a hashed password > just as easily. And the server has no way of telling whether the sent > password hash came from a browser showing your website or from > something else. To protect a password you need an encrypted > connection. > I don't intend to send the hashed password, I agree with you that doesn't help. The idea is to use some common reliable signature scheme, such as HMAC, to sign a a long nonce salt which is generated uniquely of each login form display. If someone snatch the signature, he must relay them to the server faster than the original packets in order to login (the nonce salt is earsed from the session the moment someone tries to authenticate against it). The intercepted signature is of little use to the snatcher, has the all idea of cryptographic signature algorithms is to make extracting the secret key (in this case it's the password) used to sign as hard as possible, which is impossible for anyone who isn't some top cryptoanalyser and has access to some huge computing power. On the other hand, if someone intercepts the clear-text password sent, he can login with it anytime they want, and moreover he will probably get access to other services the user has, as people usually re-use passwords for their accounts in different places. So the scheme is not to send the hashed password, but a cryptographic signature of a randomly generated (big) salt which a copy of is saved in the session. Someone without the password could not sign the request and if he intercepts the request he couldn't extract the password from it. This idea is also used in many production environments and is implemented in the OAuth protocol (HMAC-SHA1 version), where it is used to authenticate requests by using a consumer key (username) and consumer secret (password) without ever sending the password in plain- text. http://oauth.net/core/1.0/ Thanks, Guy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
I recommend you to use bcrypt, the password-hashing algorithm used in OpenBSD. The advantages are that it creates and manages auto. the salt for each password entered; And the most important is that it is adaptable to future processor performance improvements. http://pypi.python.org/pypi/bcryptWrap On 30 ene, 19:36, Guy Rutenberg wrote: > Hi, > > I've started using Django recently and when I've used the auth module > I noticed that it only verifies a plain text password. I'm not > comfortable with this behaviour as it means that passwords have to be > sent by login forms in plain text. > > In previous projects of mine I've used a solution that sent involved > comparing a hash value of a given salt with the hash of the password > (which is stored in the database). A salt is sent with the login form > and upon submission, using javascript the salt is concated with a > hahed password and then both of them are hashed again. The same thing > happens in the server-side and only the result hashes are compared. > This eliminates the need to send the password in plain-text in the > login forms and adds extra security. > > Is it possible to such thing with the current auth module? if not how > hard it will be to add such functionality to the current module/write > a new authentication backend for it? > > Thanks, > > Guy Rutenberg --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Kless, Correct me if I'm wrong but bcrypt can be used as a solution for storing the passwords in the database (instead of the default sha1) but it doesn't provide the solution I'm looking for: not sending plain- text passwords in login forms. Anyway bcrypt sounds interesting, especially its ability to adapt to processor improvments. Thanks, Guy On Jan 31, 11:41 am, Kless wrote: > I recommend you to use bcrypt, the password-hashing algorithm used in > OpenBSD. > > The advantages are that it creates and manages auto. the salt for each > password entered; And the most important is that it is adaptable to > future processor performance improvements. > > http://pypi.python.org/pypi/bcryptWrap --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Rutenberg, you're correct. bcrypt is only a solution for storing the hash of passwords of secure way. In fact, it's the way more secure and easy that I've found; and it has been implemented and is being used by OpenBSD. Your method has a point of failure. Whatever can see your code JS (client-code), so he will know what are you making with the password that is sent from a form. The best options are https or using HMAC-SHA1/RIPEMD160 On 31 ene, 12:24, Guy Rutenberg wrote: > Hi Kless, > > Correct me if I'm wrong but bcrypt can be used as a solution for > storing the passwords in the database (instead of the default sha1) > but it doesn't provide the solution I'm looking for: not sending plain- > text passwords in login forms. Anyway bcrypt sounds interesting, > especially its ability to adapt to processor improvments. > > Thanks, > > Guy > > On Jan 31, 11:41 am, Kless wrote: > > > I recommend you to use bcrypt, the password-hashing algorithm used in > > OpenBSD. > > > The advantages are that it creates and manages auto. the salt for each > > password entered; And the most important is that it is adaptable to > > future processor performance improvements. > > >http://pypi.python.org/pypi/bcryptWrap --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Kless, On Jan 31, 7:05 pm, Kless wrote: > > Your method has a point of failure. Whatever can see your code JS > (client-code), so he will know what are you making with the password > that is sent from a form. > > The best options are https or using HMAC-SHA1/RIPEMD160 > I've indeed referenced HMAC in couple of the previous posts. As this methods should be (almost) irreversable, i don't care if someone will take a look at the JS and figure out what I'm doing (I'm not trying to obtain security by obfustication). As you said, HMAC-SHA1 (or any other strong hash with HMAC) is a good option. I just wonder if Django has builtin support for using this things or I've to write my own. Thanks, Guy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
Hi Rutenberg, I just find anything that can be of interest for you. It's a "secure" method to login without https. Althought it isn't realy secure in comparison to https. http://www.pylucid.org/about/features/JS-SHA-Login/ On 1 feb, 09:07, Guy Rutenberg wrote: > I just wonder if Django > has builtin support for using this things or I've to write my own. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Using hashing for password checking in auth module
On Sun, 2009-02-01 at 01:07 -0800, Guy Rutenberg wrote: > Hi Kless, > > > On Jan 31, 7:05 pm, Kless wrote: > > > > Your method has a point of failure. Whatever can see your code JS > > (client-code), so he will know what are you making with the password > > that is sent from a form. > > > > The best options are https or using HMAC-SHA1/RIPEMD160 > > > > I've indeed referenced HMAC in couple of the previous posts. As this > methods should be (almost) irreversable, i don't care if someone will > take a look at the JS and figure out what I'm doing (I'm not trying to > obtain security by obfustication). As you said, HMAC-SHA1 (or any > other strong hash with HMAC) is a good option. I just wonder if Django > has builtin support for using this things or I've to write my own. Django itself does not have support for this. It's essentially out of scope. We had a long discussion about it a couple of years back and nothing has really changed since then (the best solution is HTTPS and anything else is a workaround with all the drawbacks that come with it). There might (or might not) be some third-party application to provide it. Django is meant to be the basis on which other things are built and this sounds like something that would be a third-party thing. Regards, Malcolm --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---