[rabbitmq-discuss] Hash passwords
Simon MacMullen
simon at rabbitmq.com
Thu Oct 3 15:20:27 BST 2013
On 03/10/2013 3:11PM, Felipe Gutierrez Cruz wrote:
> The client wanted to know if through the Java API, you can pass the
> password hash and if that would be accepted (that's what I meant
> programmatically)
Ah, right.
I assume they would hope that by doing that they would improve the
security of the system "by not sending passwords in plaintext". In fact
they would make the system *less* secure by doing so.
Why do we hash and salt the password anyway? To try to make sure that if
a hashed / salted password somehow leaks, then it can't be used to
access the system. But if we allowed AMQP clients to authenticate
password hashes, that would no longer be true - the hash would in effect
*become* the password, so we would have lost the benefits of hashing in
the first place.
Now, there are some SASL mechanisms that allow you to do
challenge-response authentication, such that the password does not go
over the wire in plaintext. But the only one that's remotely
standardised is CRAM-MD5 - and that requires you to store an *unsalted*
MD5 hash - not a brilliant idea. So we don't support CRAM-MD5 or
anything like it in RabbitMQ.
The state of the art of challenge-response SASL auth for passwords has
basically died - as far as I can see because it's hard to do it right,
and SSL *does* get it right while also securing the entire transport.
So the short answer is: use SSL if you want to be safe from wire-level
snooping. Accept no substitutes!
Cheers, Simon
--
Simon MacMullen
RabbitMQ, Pivotal
More information about the rabbitmq-discuss
mailing list