#34661: Peppering user passwords
-------------------------------+--------------------------------------
Reporter: Fatih Erikli | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Description changed by Fatih Erikli:
Old description:
> Currently a user's password stored in database in this format:
>
> > <algorithm>$<iterations>$<salt>$<hash>
>
> The salt is a random generated string per user. Hash (Last column) is the
> password hashed with the stored in previous column.
>
> Example, these are two computed passwords, stored on database, for the
> same password of two users.
>
> >
> pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=
> >
> pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=
>
> The password is **123456**.
>
> Imagine I am an attacker, who got the database of different django
> project, I want to look up the users who have the chosen the password
> 123456.
>
> I have the salts of users stored in database.
>
> > make_password('123456', 'fb9cUsHWK4EMZ7VWGBAcGD')
> >
> pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=
>
> > make_password('123456', 'HgWHWrF2qQD9Owj4XeEkjY')
> >
> pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=
>
> These are correct password combinations. I am able to lookup the users
> who have their passwords exposed in public.
>
> There is one more element needed for hashing the password, **pepper**,
> should be django project specific. Even when a database is exposed, the
> attacker will not be able to lookup the known passwords, since they don't
> have the secret pepper key.
>
> I am not sure about the vulnerability enumeration, however this cause
> CWE-760 even though salt is not weak, but it is known, when a database is
> exposed. Because the salt is stored next to the hashed password.
>
> I think peppering passwords should be a default behavior of django.
New description:
Currently a user's password stored in database in this format:
> <algorithm>$<iterations>$<salt>$<hash>
The salt is a random generated string per user. Hash (Last column) is the
password hashed with the stored in previous column.
Example, these are two computed passwords, stored on database, for the
same password of two users.
>
pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=
>
pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=
The password is **123456**.
Imagine I am an attacker, who got the database of different django
project, I want to look up the users who have the chosen the password
123456.
I have the salts of users stored in database.
> make_password('123456', 'fb9cUsHWK4EMZ7VWGBAcGD')
>
pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=
> make_password('123456', 'HgWHWrF2qQD9Owj4XeEkjY')
>
pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=
These are correct password combinations. I am able to lookup the users who
have their passwords exposed in public.
There is one more element needed for hashing the password, **pepper**,
should be django project specific. Even when a database is exposed, the
attacker will not be able to lookup the known passwords, since they don't
have the secret pepper key.
I am not sure about the vulnerability enumeration, however this cause
CWE-760 even though salt is not weak, but it is known, when a database is
exposed. Because the salt is stored next to the hashed password.
I think peppering passwords should be default behavior of django.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/34661#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070188c53bc803-25632a33-2eb8-4b96-bd28-41e68b9320b4-000000%40eu-central-1.amazonses.com.
