WebApp Sec mailing list archives
Re: At what layer to hash a password
From: Chris Travers <chris () metatrontech com>
Date: Sat, 26 Jun 2010 07:36:42 -0700
On Mon, Jun 21, 2010 at 6:06 AM, Robin Wood <robin () digininja org> wrote:
When developing a web app using a presentation (html generation not browser side), application and database layer approach at what level should you encode a password that is on its way into a database? I'm generally thinking of hashing as the main encoding method but anything could be used.
This is a good question. I think it depends on a large number of things. For my own applications I use a strategy I call "push security back" which is a variation on the idea that applications should have the least possible level of trust. In this model, permissions enforcement and authentication are handled by the lowest tier I can use. So normally I use native database accounts and have the db library hash the passwords when the user is trying to log in. There are, of course, some disadvantages to this approach (namely that the password must be resubmitted in some way on every page request). But on the whole it's better for the application to trust the db, but not have the db trust the application (in this model, the application doesn't actually have permission to do ANYTHING aside from what the user's permissions are). The main disadvantage, as you say, is that accidental disclosure of passwords becomes a possible problem. I usually handle this by ensuring that passwords are essentially isolated from the rest of the application, making it less likely for an accident to disclose the password. The other main place I'd consider putting the password hashing if I could would be something like the way HTTP Digest Auth does it, where a challenge/response relative to the client sends back a hash which is then verified against a password plus some additional information. However, this generally requires a high level of trust in your application. So the question is, where do you want to draw the trusted/untrusted border? Best Wishes, Chris Travers This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- At what layer to hash a password Robin Wood (Jun 26)
- Re: At what layer to hash a password Chris Travers (Jun 28)
- Re: At what layer to hash a password Javier Bassi (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)
- RE: At what layer to hash a password Dave Wichers (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re: At what layer to hash a password Tom Ritter (Jun 28)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- Re: At what layer to hash a password Robin Wood (Jun 28)
- Re:Re: At what layer to hash a password 薛 (Jun 29)
- Re: At what layer to hash a password Grega Bremec (Jun 28)
- RE: At what layer to hash a password Niels Teusink (Jun 28)
- Re: At what layer to hash a password Chris Travers (Jun 29)