Web Application Security
At what layer to hash a password Jun 21 2010 01:06PM
Robin Wood (robin digininja org) (5 replies)
RE: At what layer to hash a password Jun 28 2010 08:37PM
Niels Teusink (teusink fox-it com) (1 replies)
Re: At what layer to hash a password Jun 29 2010 04:46AM
Chris Travers (chris metatrontech com)
RE: At what layer to hash a password Jun 26 2010 07:26PM
Dave Wichers (dave wichers aspectsecurity com) (1 replies)
Re: At what layer to hash a password Jun 26 2010 07:29PM
Robin Wood (robin digininja org)
Re: At what layer to hash a password Jun 26 2010 05:02PM
Javier Bassi (javierbassi gmail com) (1 replies)
Re: At what layer to hash a password Jun 29 2010 04:43AM
Chris Travers (chris metatrontech com)
Re: At what layer to hash a password Jun 26 2010 02:36PM
Chris Travers (chris metatrontech com)
On Mon, Jun 21, 2010 at 6:06 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
> When developing a web app using a presentation (html generation not
> browser side), application and database layer approach at what level
> should you encode a password that is on its way into a database? I'm
> generally thinking of hashing as the main encoding method but anything
> could be used.

This is a good question. I think it depends on a large number of
things. For my own applications I use a strategy I call "push
security back" which is a variation on the idea that applications
should have the least possible level of trust. In this model,
permissions enforcement and authentication are handled by the lowest
tier I can use. So normally I use native database accounts and have
the db library hash the passwords when the user is trying to log in.
There are, of course, some disadvantages to this approach (namely that
the password must be resubmitted in some way on every page request).
But on the whole it's better for the application to trust the db, but
not have the db trust the application (in this model, the application
doesn't actually have permission to do ANYTHING aside from what the
user's permissions are). The main disadvantage, as you say, is that
accidental disclosure of passwords becomes a possible problem. I
usually handle this by ensuring that passwords are essentially
isolated from the rest of the application, making it less likely for
an accident to disclose the password.

The other main place I'd consider putting the password hashing if I
could would be something like the way HTTP Digest Auth does it, where
a challenge/response relative to the client sends back a hash which is
then verified against a password plus some additional information.
However, this generally requires a high level of trust in your
application.

So the question is, where do you want to draw the trusted/untrusted border?

Best Wishes,
Chris Travers

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: At what layer to hash a password Jun 26 2010 11:13AM
Tom Ritter (tom ritter vg) (1 replies)
Re: At what layer to hash a password Jun 28 2010 08:55AM
Grega Bremec (gregab p0f net) (2 replies)
Re:Re: At what layer to hash a password Jun 29 2010 01:48AM
è?? (deco1987 126 com)
Re: At what layer to hash a password Jun 28 2010 02:17PM
Robin Wood (robin digininja org)


 

Privacy Statement
Copyright 2010, SecurityFocus