Ask Slashdot: Definitive Password Management Best Practices Using OSS?

← Back to Stories (view on slashdot.org)

Ask Slashdot: Definitive Password Management Best Practices Using OSS?

Posted by Soulskill on Friday September 11, 2015 @09:19PM from the plan-for-the-worst-hope-for-the-best dept.

jmcbain writes: I am an software engineer for a client-server user account system handling both Web and smartphone clients. I have been searching for definitive and crystal-clear best practices for managing user account and password data using open-source software, but I have only cobbled together a complete picture from dozens of websites. I currently have a system that sends passwords over SSL and performs bcrypt hashing for storage and authentication checking at the server side. Is that good enough? The recent Ashley Madison breach and the exposure of MD5-hashed passwords (as opposed to bcrypt) has me worried again. Can someone please suggest a definitive, cookbook-style Web resource or book on how to use open-source software to handle user passwords for multiple client-server scenarios? I would like answers to questions such as: Where do I perform hashing (smartphone/web client or server)? What hash algorithm should I use? How do I store the hashes? How can clients recover forgotten passwords? etc.

41 of 77 comments (clear)

Min score:

Reason:

Sort:

Solved... by Anonymous Coward · 2015-09-11 21:29 · Score: 5, Informative

Owasp authentication cheat sheet:
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
1. Re:Solved... by Anonymous Coward · 2015-09-12 01:20 · Score: 1
  
  Mod parent up! That is a very useful resource.
  Note that it doesn't meet the complete criteria of the question, because they're looking for a unicorn:
  
  ... searching for definitive and crystal-clear best practices
  There are simply too many variables involved for someone to write down the simple step-by-step instructions they seem to be asking for.
2. Re:Solved... by Anonymous Coward · 2015-09-12 09:49 · Score: 1
  
  generate new passwords.
  HASH on servers.
  SHA seems pretty good these days. Y use a KNOWN WEAK and BROKEN HASH? Thats asking for trouble.
  Make sure you have enough good entropy. HAVEGED Audio entropy, etc.etc. Theres network entropy too.
3. Re:Solved... by Jane+Q.+Public · 2015-09-12 12:01 · Score: 2
  
  There are simply too many variables involved for someone to write down the simple step-by-step instructions they seem to be asking for.
  There is one point that is pretty much cast in stone: there is no such thing as "secure password recovery".
  
  Maybe OP did not mean that literally, but if a password can be "recovered", it isn't secure. There is no way to have both.
  
  Passwords are replaced using a reset process, not recovered.
4. Re:Solved... by Jane+Q.+Public · 2015-09-12 20:24 · Score: 1
  
  How does THAT Slashdot comment get labeled as anything but harassment and bullshit?
  
  Off-topic, at least.
"How can clients recover forgotten passwords?" by Gaygirlie · 2015-09-11 21:32 · Score: 4, Insightful

No. Just.. no. They should *NEVER* be able to retrieve forgotten passwords, ever. If they forget a password you should provide a mechanism to generate a new one and then providing them with that, but you should never offer a mechanism to retrieve the old password. If you can retrieve their old password then anyone who gains access to your servers can also do that.
1. Re:"How can clients recover forgotten passwords?" by w3woody · 2015-09-11 22:35 · Score: 4, Informative
  
  If you use a one way hash that has been properly salted (i.e., HASH(SALT + password) ), then you should never be able to retrieve forgotten passwords, ever. If you can retrieve a lost password for a user, then you've screwed it up, because if you can recover a lost password, someone who scraped your database can recover a lost password.
  The worst, by the way, are web sites which require you to pick a super-secure password (at least 12 characters long, must contain punctuation, both upper and lower case letters, a number character, an Egyptian hieroglyph, and must not match the last 15 passwords used in the past and must be changed ever 30 days)--then stores the password and password history as plain text in the user database. Those are the guys I'd love to murder in cold blood.
  Personally I've always liked using some element of a user record attribute as part of the SALT--such as having a UUID associated with each user record that becomes part of the salt for the hash (i.e., HASH(SALT + password + UUID) )--because this means if someone does scrape your database it's computationally a little more difficult to reverse engineer the passwords in the database because even a bunch of people use "123456" as their password, the hashes will be different for each of those users. Of course the UUID must never change or else you'll lock your users out.
  I'm also a fan of the POP3 protocol's APOP authentication mechanism, where sending credentials over the 'net requires two transactions: (1) obtaining a unique token for that session, then (2) hashing the password against that token to transmit to the back end. Of course this means you wind up hashing the plain text password *twice*: since you don't have the password on the back end (but its hash) you can only compare against HASH(TOKEN + hashed_password), and on the front end you wind up calculating HASH(TOKEN + HASH(SALT + password + UUID) ). But that requires a lot of work in the client.
  Simply sending HASH(SALT + password + UUID) rather than hashing the hash with an additional token means you're subject to a replay attack, where a third party could listen in on the conversation and simply replay the login packet you send to connect to the server.
  And while I know a lot of folks claim that all of this is mitigated by using SSH, it doesn't protect against man-in-the-middle attacks, including incidental man-in-the-middle attacks created by certain proxy gateways which use their own certs in order to decrypt HTTP traffic to sniff for viruses or enforce corporate guidelines for acceptable use.
  Ultimately security won't stop the most determined hackers; you're not stopping the NSA, for example. But you can stop the script kiddies and disgruntled employees by taking some precautions--such as never storing sensitive information in a database (like credit cards) unencrypted, and using one-way hashes to store passwords.
  Oh, and as a footnote: unless you have a Ph.D. in cryptography, don't write your own random functions or hash functions. Yes, I've seen it in the field. Instead, use a cryptographically secure hash function. Heck, even MD-5 is going to be better than anything you try to roll on your own.
2. Re:"How can clients recover forgotten passwords?" by Michael+Woodhams · 2015-09-11 23:15 · Score: 2
  
  The worst, by the way, are web sites which require you to pick a super-secure password (at least 12 characters long, must contain punctuation, both upper and lower case letters, a number character, an Egyptian hieroglyph, and must not match the last 15 passwords used in the past and must be changed ever 30 days)--then stores the password and password history as plain text in the user database. Those are the guys I'd love to murder in cold blood.
  No, cold-blood-murder is reserved for sites that do all of the above and also send you a confirmation e-mail containing your password in clear text.
  
  --
  Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
3. Re:"How can clients recover forgotten passwords?" by Anonymous Coward · 2015-09-12 02:28 · Score: 1
  
  I'm sorry, what? As in WTF are you on about? If someone says - and I quote - How can clients recover forgotten passwords? that is pretty clearly understood to mean "how does a client get their same password back". After all, he didn't write, "How can clients recover from forgotten passwords?". If he had, that would be a different ask - more in line with what you are saying. But that is NOT what he asked. Remember that "recover forgotten passwords" has a meaning. You can't just make up another one and expect us to agree with you.
4. Re:"How can clients recover forgotten passwords?" by tepples · 2015-09-12 03:16 · Score: 1
  
  You may want to say I will use a Text Messages to a phone, this is also insecure. However it may work for low value websites.
  A site would have to be pretty high value in order to require the user to subscribe to cellular service just to use the site.
5. Re:"How can clients recover forgotten passwords?" by Kavonte · 2015-09-12 12:14 · Score: 1
  
  Personally I've always liked using some element of a user record attribute as part of the SALT--such as having a UUID associated with each user record that becomes part of the salt for the hash (i.e., HASH(SALT + password + UUID) )--because this means if someone does scrape your database it's computationally a little more difficult to reverse engineer the passwords in the database because even a bunch of people use "123456" as their password, the hashes will be different for each of those users. Of course the UUID must never change or else you'll lock your users out.
  You're supposed to use a new random salt for each password. That's why you store the salt alongside the hashed password in the database.
6. Re:"How can clients recover forgotten passwords?" by 0100010001010011 · 2015-09-12 13:23 · Score: 1
  
  I remember stuff that is easy for humans to remember and let computers generate the hard stuff.
  My slashdot password is echo -n [mysalt]+0100010001010011+slashdot.org | sha265
  The hell if I actually remember that. I could generate it with a piece of paper given enough time. I can generate it on almost any OS I use daily.
  Let mysalt be HorseBatteryStaple. Some inside joke, anything.
7. Re:"How can clients recover forgotten passwords?" by w3woody · 2015-09-12 23:31 · Score: 1
  
  "Use bcrypt. Just use bcrypt. Or PBKDF2 if you must. But really bcrypt. General hash (MD, SHA) != Cryptographic hash function. All that extra cleverness that you're doing with UUIDs is superfluous if you just use a proper HASH function (did I mention bcrypt?)."
  The purpose of using a separate per-user token is so that when (not "if") someone takes your database, password similarity won't jump out at them. Meaning if a bunch of users use "123456" as their password, they won't be hashed to the same value in the database.
  You have to assume if someone steals your database they're not stealing a single user record, but your entire database of 5 million users, and they now have 5 million data points in order to help them reverse engineer which hashing function was used. And even the best cryptographic one-way hashing function will hash the same input and generate the same output each time--meaning if 10,000 of your 5 million users used "123456", well, it will show up as 10,000 identical fields, giving you a hint as to how things are encrypted.
8. Re:"How can clients recover forgotten passwords?" by w3woody · 2015-09-12 23:32 · Score: 1
  
  And this is different from what I described (with the exception of tossing in a separate constant component of the SALT not stored in the database) how, exactly?
9. Re:"How can clients recover forgotten passwords?" by Kavonte · 2015-09-13 13:54 · Score: 1
  
  If you're not talking about using the same salt for each password, then I don't know why you're concerned about multiple users having the same hash simply because they have the same password. The different salts will ensure that they have different hashes even if the passwords are the same.
10. Re:"How can clients recover forgotten passwords?" by balbus000 · 2015-09-16 01:45 · Score: 1
  
  I think the point is that the salt takes care of uniqueness for the password hash. There is no additional benefit of using both a salt and a UUID.
Use OpenLDAP and Kerberos by Zombie+Ryushu · 2015-09-11 21:43 · Score: 3, Informative

Use Kerberos with one of the heftier encryption types. Don't use the default Crypt Password type used in Shadow Passwords, and store your accounts in OpenLDAP, not a SQL Database
1. Re:Use OpenLDAP and Kerberos by dejanc · 2015-09-11 22:19 · Score: 1
  
  Use Kerberos with one of the heftier encryption types. Don't use the default Crypt Password type used in Shadow Passwords, and store your accounts in OpenLDAP, not a SQL Database
  
  What are the advantages of using OpenLDAP over a SQL database for storing user accounts? Any real world experience that you could share?
2. Re:Use OpenLDAP and Kerberos by Zombie+Ryushu · 2015-09-11 22:25 · Score: 2
  
  OpenLDAP (and similar LDAP like Databases are meant for Authorization and Authentication functions. They can use ACLs and are better designed for this use, and th ACLs can make them resistant to data leakage. If you must use a SQL database for other custom things, link some form of User ID in LDAP to a corresponding field in SQL.
3. Re:Use OpenLDAP and Kerberos by AchilleTalon · 2015-09-12 01:27 · Score: 2
  
  One important reason you should use something like Kerberos, is the usability. The users will not have a different password on each machine with its own rules and expiration date, etc. This quickly lead to users to write down their passwords on a post-it or use the bad practices to manage the security of their own passwords because they have to periodically change their passwords on many machines. Also, you will have a single or a limited number of password repositories to secure instead of having one on each machine.
  You are also better to enforce longer passwords than byzantine rules for passwords to get enough entropy. I have even seen password rules which instead of leading to stronger security were leading to weaker security. It is not because a password is difficult to remember by a human it is difficult to crack by an automated program. There is no link between difficult to remember and good password.
  
  --
  Achille Talon
  Hop!
Answers by Lord+Duran · 2015-09-11 21:51 · Score: 5, Informative

Where do I perform hashing (smartphone/web client or server)?
You hash twice, with different salts - once on the client side and once again (i.e., hash the hash) on the server side. The doubly-salted, doubly-hashed password is the one you store.
What hash algorithm should I use?
You said it yourself - bcrypt. bcrypt allows you to set a cost, which increases password brute-forcing difficulty but also increases computational cost on every verification. Set the cost to be the maximum you can handle - if you have a stronger computer and fewer users, you can set a higher cost.
How do I store the hashes?
Chrome uses encrypted SQLite for browser saved passwords. Which encryption depends on the platform - Windows has CryptProtectData, KDE and Gnome have keyrings. The basic idea for all of these is to use some symmetric encryption algorithm (e.g. AES) with the key derived from some set of hashes on machine-specific data, like hardware serial numbers. If you want to go hardcore, use a hardware encryption dongle (HSM).
Note that it is important to encrypt the file on disk, but it is also important to make sure that decrypted hashes stay in server memory for as little as possible.
How can clients recover forgotten passwords?
They can't recover forgotten passwords - you're only storing hashes, remember? What they can do is reset their password. Two factor authentication is best (a verified email account and phone number, if you can send SMSes or automated calls), but at least email and a security question seems to be the standard.
1. Re:Answers by DamonHD · 2015-09-11 23:22 · Score: 3, Insightful
  
  Security questions IMHO *lower* overall security for a number of reasons and I refuse to use them.
  2FA is a good idea.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
2. Re:Answers by Soft · 2015-09-11 23:55 · Score: 1
  
  keyrings [...] key derived from some set of hashes on machine-specific data, like hardware serial numbers. If you want to go hardcore, use a hardware encryption dongle (HSM).
  
  I'm not an expert, but I'd be wary of storing passwords into a keyring that I can no longer open if some piece of hardware fails. Wouldn't a well-chosen master password be safer?
3. Re:Answers by bill_mcgonigle · 2015-09-12 01:28 · Score: 2
  
  Security questions IMHO *lower* overall security for a number of reasons and I refuse to use them.
  I often don't have a choice, but my bank only knows that my favorite dog's name was #tg57(747R86$vX. "Old Hashy", we'd call him.
  AFAIK, no password vault solutions help the user deal with this kind of nonsense.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:Answers by DamonHD · 2015-09-12 03:11 · Score: 1
  
  I had a huge argument about this stuff about my bank and whether a fat middle aged bloke should have a favourite colour (and the entropy in the choices anyway) and was explicitly allowed to put rubbish in all the fields and the bank indeed replaced it all with 2FA soon after.
  So sometimes there are choices.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
5. Re:Answers by raftpeople · 2015-09-12 03:19 · Score: 1
  
  Why did you have to argue with them? I just key in whatever garbage I feel like in those fields, no need to ask
6. Re:Answers by Chelloveck · 2015-09-12 04:28 · Score: 1
  
  Any password manager that lets you enter arbitrary text (even a single plain-text "notes" field) handles it. It may not auto-fill forms for these, but it can at least record them for later use. You really should never need them auto-filled anyway, since they're just for when you forget your password which you won't because you're using a password manager. I use KeePass which allows me to enter arbitrary key:value pairs. Most sites in my database now have a few entries like Ol' Hashy up there. Userid Chelloveck Password +NJUR3xGhQwaFQ/b "What is your quest?" S~V%.tywopTl0kB! "What is your favorite color?" *E3sj*_6Jp
  I just use the same random generator that I use for making my actual passwords.
  (Really, Slashdot? Have you ever actually looked at your styling choices? The definition list styling is just plain stupid for lists longer than a single term/definition pair.)
  
  --
  Chelloveck
  I give up on debugging. From now on, SIGSEGV is a feature.
7. Re:Answers by DamonHD · 2015-09-12 05:29 · Score: 1
  
  Because I wanted the bank staff (and I raised it to a fairly high level) to understand and accept that the 'security questions' could never reasonably used the way that the bank expected, and having gained that insight (and the firestorm of complaint in social media at the time) the bank fixed the issue reasonably well.
  It's not perfect, but the current system works reasonably well.
  So, argument and persuasion rather than just whining seemed to be winning.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
8. Re: Answers by ovoskeuiks · 2015-09-12 09:30 · Score: 1
  
  I was disturbed to find out one of my banks doesn't recognise case in its passwords. I put my password in with caps lock on and it worked. Tested a few combinations of upper and lower case all worked.
Re:Hashing by Bert64 · 2015-09-11 21:59 · Score: 2

Doing the hash client side will open you up to pass the hash attacks...
Trying fixed size hashes won't be a real advantage, there are usually many more possible hashes than actual passwords (assuming you use a sensible hashing algorithm)...
Doing it client side also makes it impractical/pointless to use salts.
You want to authenticate using public/private keys and/or a two factor system if you can, passwords really are a lowest common denominator.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
How to handle passwords? Don't. by Anonymous Coward · 2015-09-11 23:34 · Score: 1

If at all possible don't do it. Use OpenID, etc. to let someone else have the passwords and worry about that aspect of security. (This is often made user-friendly by showing "Login with Google", etc. for all of the major OpenID providers.) If OpenID or something similar is not an option... then have a really good reason why not. You really don't want to be touching password hashes if you can avoid it.
If your smartphone app has support for typing in a password on the phone keyboard, something has gone horribly wrong. Once authenticated, the app should just store a certificate internally. To authenticate, use a login on a computer or an e-mail or support using the account the phone is logged in with (e.g. a Google account; I assume iOS has a similar login feature).
Sustainable password hashing by bdrasin · 2015-09-12 02:37 · Score: 1, Informative

I'm tooting my own horn, but you might find my article on long-term password hashing strategies helpful:
https://medium.com/@uther_bendragon/sustainable-password-hashing-8c6bd5de3844
TL;DR version:
1) Use a one-way collision-resistant algorithm developed by professional cryptographers, and the implementation of which has been adequately studied and understood;
2) Do not use an algorithm with known vulnerabilities (this obvious step is sometimes not followed);
3) Use randomly-generated data—salt as additional input to the algorithm to minimize vulnerability to rainbow/lookup table attacks. The salt should be generated from a Cryptographically Secure Pseudo-Random Number Generator;
4) Use a long salt, preferably as long as the output of the hash function;
5) Use an adaptive hashing algorithm—that is to say, an algorithm with a configurable number of encryption iterations to slow attackers (a.k.a. key stretching). The number of iterations can be tuned as the speed of available hardware increases to keep the resulting hash secure. Such choices include PBKDF2, bcrypt and now scrypt.
6) At at some point you will need to change your hashing function, in fact, probably many times. So store the algorithm along with the hash e.g. ALG:HASH:SALT
7) secure legacy hashes by wrapping the obsolete hash with a new one e.g. encrypt the md5 hash of the guy who hasn't logged in for years in your new hashing algorithm and store it with a token like md5|pbkdf2:hash:salt
1. Re:Sustainable password hashing by DamonHD · 2015-09-12 04:09 · Score: 1
  
  Hmm, yes, when I was putting together security for an online financial system (eg worth stealing credentials for) many years ago, (7) was nagging at me and I might have made do with an upgrade in hash mechanism at next login after a policy change, but yours is nice and/or in combination.
  Rgds
  Damon
  PS. (4) is also an interesting rule-of-thumb, thank you!
  
  --
  http://m.earth.org.uk/
Re:MD5 hashing has security advisory by tepples · 2015-09-12 03:18 · Score: 1

Even SHA256 ten times in a row has problems when used to derive a key from a password. The key isn't which hashing function you use as much as using it a couple thousand times.
OpenID Connect providers decline to offer dyn-reg by tepples · 2015-09-12 04:39 · Score: 1

This is often made user-friendly by showing "Login with Google", etc. for all of the major OpenID providers.
In the era of classic OpenID, the relying party could just provide a field to paste in the user's identifier, and then the login form would take to the provider's site to complete authentication. It was envisioned that users would use the browser's autofill feature to populate the identifier field. But in the era of OpenID Connect, only providers that support Dynamic Client Registration (dyn-reg) support the paste-an-identifier flow, and none of the major providers have chosen to implement dyn-reg. So each relying party needs to sign a contract with each provider to obtain an OAuth client key, which is an O(n^2) problem. So before going live, a site operator needs to sign up with each of "the major OpenID providers". How can a site operator tell what are "the major OpenID providers" at any given time, other than Google?

If your smartphone app has support for typing in a password on the phone keyboard, something has gone horribly wrong. Once authenticated, the app should just store a certificate internally. To authenticate, use a login on a computer
A mobile phone is a computer. If you meant specifically a desktop computer, not everybody who owns a mobile phone also owns a desktop computer, such as one of my former co-workers. Nor does everybody who owns a desktop computer also own a mobile phone with an active subscription to unlimited SMS. In countries where both the sender and receiver of a text message are billed, such as the United States, this can cause users to run up big cell bills when logging in with an OpenID Connect provider that uses two-factor authentication.

or an e-mail
I'm not understanding what you mean by this.

or support using the account the phone is logged in with (e.g. a Google account; I assume iOS has a similar login feature).
The user still has to put in the password for the Google account when logging into the Google account.
How can clients recover forgotten passwords? by wjcofkc · 2015-09-12 04:52 · Score: 1

Allow me to correct this part of your question:

How can clients recover from forgotten passwords. I'm not saying that using the standard practice of implementing a mechanism whereby a user can reset their own password based on their username and email address is perfectly secure - nothing is - but under no circumstances should a password be retrievable in that manner. Also, the act of a self service password reset should instantly nuke the old.

--
Brought to you by Carl's Junior.
1. Re:How can clients recover forgotten passwords? by tepples · 2015-09-12 07:26 · Score: 1
  
  the act of a self service password reset should instantly nuke the old
  I disagree. The old password ought to get nuked when the new one is pasted in twice from your password manager. Otherwise, an attacker can DOS your account by requesting a reset every hour.
most important by xtronics · 2015-09-12 06:55 · Score: 1

See the link from the paper here: https://www.youtube.com/watch?...
Make them long - make them memorable forget the upper/number/Special nonsense.
Salted Password Hashing - Doing it Right by ecotax · 2015-09-12 06:57 · Score: 1

That's the title of this page and I found that to be truth in advertising - it's readable and informative.

--
"Money is a sign of poverty." - Iain Banks
Quickly outdated by RogerWilco · 2015-09-12 21:43 · Score: 1

I think the most important thing to remember on security related topics like this: The answers can get quickly outdated as technology progresses.
Books might be outdated by the time they appear in print, especially on a lot of practical details. What was considered impossible a few years ago might be done on a machine with a few big GPUs today. Technologies, ideas and theory advance a lot as there is a real war going on in the security field, both by big companies and more shady organisations. All with huge interests.

--
RogerWilco the Adventurous Janitor
Re:If you have to ask by w3woody · 2015-09-12 23:37 · Score: 1

It's still a valid question to respond to, if only because for every person who steps up to the plate asking questions to alleviate their ignorance, there are a hundred others out there implementing authentication on various public web sites who remain seeped in their own ignorance.
And programmers are an egotistical lot: when was the last time you ever told a programmer "leave that to the experts" and didn't get "fuck you, asshole; I know what I'm doing!!!" as a response?