[rabbitmq-discuss] Hash passwords

• Previous message: [rabbitmq-discuss] Hash passwords
• Next message: [rabbitmq-discuss] Network partitions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/10/2013 3:11PM, Felipe Gutierrez Cruz wrote:
> The client wanted to know if through the Java API, you can pass the
> password hash and if that would be accepted (that's what I meant
> programmatically)

Ah, right.

I assume they would hope that by doing that they would improve the 
security of the system "by not sending passwords in plaintext". In fact 
they would make the system *less* secure by doing so.

Why do we hash and salt the password anyway? To try to make sure that if 
a hashed / salted password somehow leaks, then it can't be used to 
access the system. But if we allowed AMQP clients to authenticate 
password hashes, that would no longer be true - the hash would in effect 
*become* the password, so we would have lost the benefits of hashing in 
the first place.

Now, there are some SASL mechanisms that allow you to do 
challenge-response authentication, such that the password does not go 
over the wire in plaintext. But the only one that's remotely 
standardised is CRAM-MD5 - and that requires you to store an *unsalted* 
MD5 hash - not a brilliant idea. So we don't support CRAM-MD5 or 
anything like it in RabbitMQ.

The state of the art of challenge-response SASL auth for passwords has 
basically died - as far as I can see because it's hard to do it right, 
and SSL *does* get it right while also securing the entire transport.

So the short answer is: use SSL if you want to be safe from wire-level 
snooping. Accept no substitutes!

Cheers, Simon

-- 
Simon MacMullen
RabbitMQ, Pivotal

• Previous message: [rabbitmq-discuss] Hash passwords
• Next message: [rabbitmq-discuss] Network partitions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]