hashPassword should not rehash a password that is already a bcrypt hash #66
Comments
|
detecting a hash is not really possible. some longer version of "abc123" is a possible hash, but could also be someone's password. This also creates a potential vulnerability, where passwords that appear to be hashed are actually stored in plaintext. |
|
A bcyrpt hash has a defined format see http://stackoverflow.com/questions/5393803/can-someone-explain-how-bcrypt-verifies-a-hash/10933491#10933491 |
|
The problem isn't whether bcrypt has a defined format, it's whether user passwords have a defined format. They don't. So if my user password is something like https://github.com/tjwebb/sails-auth/blob/master/api/models/Passport.js#L12 What if a password is hashed with a different salt, or salt length? It'll look like a bcrypt password, but the comparison wouldn't work. There's just no way I'm going to conditionally allow some passwords to enter the database un-hashed. The security of the system then starts to depend on programmer skill at writing logic to discern password formats, rather than encryption. If your goal is to never store the sails-permissions admin password in plaintext, send it in as an environment variable when you start your Sails app for the first time: $ ADMIN_PASSWORD=mypassword sails lift |
|
I was basing the detection off of |
You can send it in through the REST interface (
That's not up to me to decide. People use all kinds of passwords with all kinds of special characters and various craziness. Creating a separate, special process for already-hashed passwords just opens up an additional attack vector. It only has the potential to create problems. The reasons I've mentioned are probably some of the same reasons that no databases or other popular web services allow administering uses in this way. There's nothing stopping you from implementing this yourself in an extension to this module, but I very strongly advise against it. |
|
SQL Server supports it see https://msdn.microsoft.com/en-us/library/ms189751.aspx Oracle supports it see http://docs.oracle.com/cd/E17952_01/refman-5.5-en/create-user.html MySQL supports it see http://www.techonthenet.com/mysql/users/create_user.php I'm not sure how supplying a hashed password opens an attack vector any more than sending a clear text one does. Each of the cases above provide options for supplying it either way, but it is stored as hashed. |
|
From the SQL Server docs:
There's a good reason for this, which I've mentioned already. Here, you are migrating data, which is fine for you. This functionality is not appropriate as a general feature of this module. Again, you're free to extend this module to suit your own custom requirements. A simpler option is to manually insert the data into the database; conceptually it makes sense: by going through sails-auth, you're trying to register a user who's technically already registered and has a password. |
|
They still provide the option, and these are not new logings but existing ones. In any case, I'm not sure how to extend since the function is on the Passport model. I guess I can create a new model for the Passport named PassportHash that has the same attributes and update the password without the rehashed password after the user is registered? |
|
I overrode the beforeCreate, and beforeUpdate functions in api\models\Passport.js, is there some other more sailsish way to do it? |
|
Yea, currently the hashing is done in {
// ...
beforeCreate: function (passport, next) {
if (!passport.skipHash && passport.matchBcryptFormat(passport.password) {
hashPassword(passport, next);
}
else {
next();
}
}
} |
No description provided.
The text was updated successfully, but these errors were encountered: