.

Secure Password Storage

<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Tue Dec 27, 2011 4:41 pm

Secure Password Storage

My friend has this website that acts as a portal to other sites, basically you log in to his site and it pulls information from various other accounts.  I'm curious as to your input on his password storage method.  He stores all the usernames and passwords for the various sites in a database encrypted with a key based on a user's master password for his site.  That seems pretty standard to me.  He didn't want to store the master password for his site in the database in case someone got access to the db and could therefore get all the passwords, which seems like a good idea.  So he has the master password stored in plaintext in the script code of the user's home page on his site.  While this doesn't seem like a great idea, it does have its advantages:

1.  If someone is able to break in and access the database, they wouldn't be able to read the passwords for the other sites because they're encrypted (assuming of course, they can't do a SQL injection or something like that).

2.  The user's master password can't be read by viewing the source because it's in a script.  The only way I can think to read the password would be if an attacker could use some form of XSS or something similar to "break" the page and get it to spit out the code.  Am I correct, or is there something else I should be wary of?  Assuming of course, that an attacker is not able to download the source code off the site.

What are your thoughts on this method?  Is there some other security issue/attack I need to take into account?  Is there some way this could be made more secure, or a different technique he should try all together?

Thanks.
Sec+, eCPPT
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Dec 27, 2011 5:16 pm

Re: Secure Password Storage

I'm not an expert on this type of thing, but a couple things jump out at me right away.

I assume the reason he didn't hash the password was so he could use it to decrypt the encrypted information. However, since the user is (obviously) inputting the password, he could just store that in a session variable for decryption, which would still allow him to store the hash of the password for authentication purposes. You would then run the risk of the key being stolen via XSS, but I think that would a much better configuration. Plus, if XSS is present, that could likely be leveraged to gain the same access even if the key wasn't present. If you didn't want to store the key in plain text in the session, you could use the user's IP to encrypt/decrypt it during processing, since that should be static throughout the session. See, I'm just brainstorming here :)

Absolutely do not assume something is safe because it is stored in a script that is not generally output in standard HTML. If there are command injection or file include vulnerabilities, those would likely allow the contents of the files to be displayed. I'm pretty sure I've also seen broken PHP configurations just dump the file instead of processing it; a future configuration change could be disastrous. Also, do not make the assumption that such a compromise would be isolated to a single user either. If they can list directory contents, cat files, etc.; it would likely be trivial do that for all users/directories/files.
Last edited by dynamik on Tue Dec 27, 2011 5:20 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Dec 27, 2011 5:40 pm

Re: Secure Password Storage

You'd also be surprised at how easy it is, sometimes, to get said 'script'...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Dec 28, 2011 12:14 am

Re: Secure Password Storage

So he has the master password stored in plaintext in the script code of the user's home page on his site.


What kind of script?  If the script is a client-side script (i.e. javascript), then any user can read it even if it's sourced in and not viewable using "right-click and View Source".  If the user/attacker has trouble reading it in the browser, he can just use Wireshark to read it as it comes across the wire.  This is a god-awful-never-even-think-about-it idea.

If the script is stored and executed server-side, it's trickier but still possible to recover the password.  In this case, the attacker needs some sort of disclosure vulnerability.  This is better, but not good.

The secure thing would be to not have a global master password.  Then, users are responsible for their own data.  If they forget their own master password, they lose their information and have to start over.  The site could reset their master password, but the saved passwords for other sites would be lost.  This is probably the best choice.

I don't know of a safe way to implement the global master password.  If the password is stored on the server and an attacker gets unfiltered access to the server, the attacker has the password.  If the password is sent to the client, everyone has the password.  Ditch the global master.
BS in IT, CISSP, MS in IS Management (in progress)
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Wed Dec 28, 2011 1:41 am

Re: Secure Password Storage

dynamik wrote:I assume the reason he didn't hash the password was so he could use it to decrypt the encrypted information.  However, since the user is (obviously) inputting the password, he could just store that in a session variable for decryption, which would still allow him to store the hash of the password for authentication purposes.


The hash of the plaintext of the password is used at the decryption key for the database, so storing the hash doesn't seem that much more secure.  Although I suppose he could hash the "hashed" password and use that as a key.  Storing the password in a session variable would be a good idea, however, this way the password would have to be stored in a database somewhere in order to verify that what a user enters is correct right?  Or, I guess if it wasn't stored in a database and just used it as decryption key for the other passwords, then the login would fail if the database doesn't decrypt properly.  Is it possible to test for that?

unicityd wrote:If the script is stored and executed server-side, it's trickier but still possible to recover the password.  In this case, the attacker needs some sort of disclosure vulnerability.  This is better, but not good.

The secure thing would be to not have a global master password.  Then, users are responsible for their own data.  If they forget their own master password, they lose their information and have to start over.  The site could reset their master password, but the saved passwords for other sites would be lost.  This is probably the best choice.


The script is server-side.  I guess I'm not exactly sure what you're suggesting unicityd, or perhaps I wasn't clear in my description.  There is no global master password, if by global you mean one password that will unlock all the passwords for all the users on the site.  There is one password that will unlock all the passwords for a particular user on the site.  Right now, there is no way to reset a password without having to renter all the passwords, because as you said, it's not very secure to have a global master password.

Thanks guys, you've given me a lot to think about.
Sec+, eCPPT
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Dec 28, 2011 2:19 am

Re: Secure Password Storage

I misunderstood; I thought he had a master password for the entire site in addition to each user's master. 

I wondered why you were talking about XSS, but it makes more sense now.  If the user's password/hash is stored in state then XSS could potentially recover it for an attacker.

In the case of per-user master passwords, they should not be stored in the database and the hash shouldn't either so it sounds like he got that right.  The password/hash can be kept in state for the user's session.  I don't know how you mean that he's storing it in the script.  Do you mean it's put into the dynamically generated homepage of the user?  If so, it's being sent to the user in the clear and would be vulnerable to XSS attacks (if any exist on the site). 

Rather than pass it back to the user in plaintext, the site could encrypt it with a per-session key and hand it back to the user that way.  The server could generate a new key for each session and use it to encrypt/decrypt the user's password hash during that session without ever storing it in the database.  This limits the amount of time that the server ever has the hash accessible to itself and would be especially helpful for inactive sessions.  XSS would not work because the user would only have the encrypted hash at any given time and server-side attacks would be limited because the server would only know how to decrypt the encrypted hash and would only have a few decrypted in memory at any given time.

Just to clarify, I'm assuming that he hashes the password with MD5, SHA, or a construction like PBKDF2.  That hash would be used as the key to encrypt/decrypt the user's information in the database.  Call this value 'hash(password)'.  Your friend currently stores the plaintext password in a script for the user's home page, but I'm not clear on how exactly he is doing that.  I'm suggesting that he generate a session key and encrypt the hash and pass that back to the user, call it 'encrypt(hash(password))'. 

Does this make sense?
BS in IT, CISSP, MS in IS Management (in progress)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Dec 28, 2011 9:18 am

Re: Secure Password Storage

Seen wrote:The hash of the plaintext of the password is used at the decryption key for the database, so storing the hash doesn't seem that much more secure.  Although I suppose he could hash the "hashed" password and use that as a key.  Storing the password in a session variable would be a good idea, however, this way the password would have to be stored in a database somewhere in order to verify that what a user enters is correct right? 


Oh, when you said it was stored in plain text, I thought you were saying that it wasn't hashed. I wasn't saying you need to hash a hash. That still doesn't seem like the best configuration, but a salted hash is much better than a plain text password. That's all I was getting at.

Seen wrote:Or, I guess if it wasn't stored in a database and just used it as decryption key for the other passwords, then the login would fail if the database doesn't decrypt properly.  Is it possible to test for that?


Yes, you could have a known text string (i.e. "success") stored that would be stored encrypted with the password, and that could be decrypted with the password upon login. I'm not sure if that provides any genuine benefit over a salted hash though. Instead of trying to crack the hash, an attacker would just use a brute-force or dictionary attack and compare it to the known plain text. If the site were compromised, it would probably be easy to identify the known plain text in the authentication code.

My next question was going to be how he handles password resets, but I just saw that you said that functionality isn't currently implemented. When a user changes his/her password, the users' passwords would just have to be read in, decrypted, re-encrypted with the new password, and then have the corresponding rows updated with the new encrypted password information. Hopefully nothing fails in the middle of that process though ;)
The day you stop learning is the day you start becoming obsolete.
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Wed Dec 28, 2011 11:21 am

Re: Secure Password Storage

What does the master password do exactly?

I have written an app before that used a similar setup but the master password was more of the value of an  encryption key that was stored (hashed) in a configuration file, with the keys residing at the OS level.
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Wed Dec 28, 2011 2:37 pm

Re: Secure Password Storage

dynamik wrote:Yes, you could have a known text string (i.e. "success") stored that would be stored encrypted with the password, and that could be decrypted with the password upon login. I'm not sure if that provides any genuine benefit over a salted hash though. Instead of trying to crack the hash, an attacker would just use a brute-force or dictionary attack and compare it to the known plain text. If the site were compromised, it would probably be easy to identify the known plain text in the authentication code.


I had that same thought this morning :)  I think I'll have my friend use a salted hash and then read a value from the database, if it's not garbage, then login successful.

l33t5h@rk wrote:What does the master password do exactly?


Think about the master password like a single sign-on (SS0).  You log into the site with the password for your account, and then you have access to various data from other sites using the stored usernames/passwords for each.
Sec+, eCPPT
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Tue Jan 03, 2012 8:13 am

Re: Secure Password Storage

Are the other sites similar sites to this or common social networking sites and this is a portal to those? Just curious as to the goal.
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Tue Jan 03, 2012 10:09 am

Re: Secure Password Storage

l33t5h@rk wrote:Are the other sites similar sites to this or common social networking sites and this is a portal to those? Just curious as to the goal.


Social networking sites like twitter, facebook, etc.  The idea is instead of having each different site alert you on updates, postings, etc, this site will alert you to all of them.  It's somewhat more complex than that but that is the basic idea.
Sec+, eCPPT

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software