How to spoil password security by following Habr's tips
In a recent article “How to hash passwords and how not to have it,” a proposal was made to use a certain local parameter (it is also called pepper), as another line in password protection. Despite the fact that this solution creates more problems than it solves, the majority of commentators supported this idea, and those who disagree, as usual, were warned. The world in my head collapsed and I decided to write this article.
Pepper is such a global random string that is appended to all passwords (besides salt). It is secret (unlike salt). Thus, having received the base, it becomes impossible to know the passwords. And everything seems to be good ...
Pepper is global in its essence. If you want to change it, for example, in the event of a leak, you will have to change all passwords.
Peppers must be stored in such a way that it is accessible to the application, but inaccessible to the attacker. A flash drive in the safe is, of course, an option, but obviously not suitable for websites and web applications, where the user can login at any time.
')
Pepper, as it were, “strengthens” a weak password, but only in the depths of the system. Using the login form, the password “asdf” is still selected easily. A weak password is a weak password, no matter how much you cheat yourself.
There is no academic work or RFC or detailed study where it is recommended to use pepper.
There is no implementation of known proven algorithms that take a local parameter as an argument.
Salt - yes, pepper - no.
A very important conclusion follows from this: Your implementation will be a crypto-bicycle . With all the consequences.
An experienced developer knows that the hash must be slow and salty, so he uses bcrypt.
Having read article on Habré he decides to strengthen it all pepper.
And a user comes to his site, moreover, advanced, knowing that passwords must be complicated:
And now, login (watch your hands!):
In this uncomplicated way, we multiplied our entire defense by zero.
Scold PHP?
Try it:
You obviously need to write to the end?
What makes you think that this will work? Is there an RFC where is it written?
Wherever you put the pepper on is a bicycle .
What I described in the article is dupe and has long been known?
And why did you keep silent about it? Somehow I have never met a comment on Habré in which you would warn about possible problems.
Oh yes, that's obvious.
The essence
Pepper is such a global random string that is appended to all passwords (besides salt). It is secret (unlike salt). Thus, having received the base, it becomes impossible to know the passwords. And everything seems to be good ...
Disability Problem
Pepper is global in its essence. If you want to change it, for example, in the event of a leak, you will have to change all passwords.
Storage problem
Peppers must be stored in such a way that it is accessible to the application, but inaccessible to the attacker. A flash drive in the safe is, of course, an option, but obviously not suitable for websites and web applications, where the user can login at any time.
')
The problem of the "illusion of security"
Pepper, as it were, “strengthens” a weak password, but only in the depths of the system. Using the login form, the password “asdf” is still selected easily. A weak password is a weak password, no matter how much you cheat yourself.
Implementation problem
There is no academic work or RFC or detailed study where it is recommended to use pepper.
There is no implementation of known proven algorithms that take a local parameter as an argument.
Salt - yes, pepper - no.
A very important conclusion follows from this: Your implementation will be a crypto-bicycle . With all the consequences.
Demo time
An experienced developer knows that the hash must be slow and salty, so he uses bcrypt.
Having read article on Habré he decides to strengthen it all pepper.
And a user comes to his site, moreover, advanced, knowing that passwords must be complicated:
<?php // . . . $pepper = '.dQUEtby7P35;k"5EhPB<j.;,9hqvs!(<"B]=#dBfhnyaN)v>8Z_bs%YJW/u~{w5:4B!s5F>'; // - . . $password = 'E&z89Usr?R7VF.^'; // ! $hash = password_hash($pepper . $password, PASSWORD_BCRYPT); var_dump($hash); //string(60) "$2y$10$0V95jRy9I.P3t7YRiMHT3O7JEveN1Gya/LbvNJ.H6K1mVPxPFRsUm" // , .. And now, login (watch your hands!):
<?php // $pepper = '.dQUEtby7P35;k"5EhPB<j.;,9hqvs!(<"B]=#dBfhnyaN)v>8Z_bs%YJW/u~{w5:4B!s5F>'; // ( ) $hash = '$2y$10$0V95jRy9I.P3t7YRiMHT3O7JEveN1Gya/LbvNJ.H6K1mVPxPFRsUm'; // ! ! ! $password = 'habrahabr'; // echo password_verify($pepper . $password, $hash) ? 'Login OK' : 'Wrong password'; // Login OK // WTF??? In this uncomplicated way, we multiplied our entire defense by zero.
Post update
Scold PHP?
Try it:
#!/usr/bin/env python import bcrypt pepper = '.dQUEtby7P35;k"5EhPB<j.;,9hqvs!(<"B]=#dBfhnyaN)v>8Z_bs%YJW/u~{w5:4B!s5F>' password = 'E&z89Usr?R7VF.^' hashed = bcrypt.hashpw(pepper + password, bcrypt.gensalt()) print(hashed) password = 'habrahabr' if bcrypt.hashpw(pepper + password, hashed) == hashed: print('Login OK') else: print('Wrong password') You obviously need to write to the end?
What makes you think that this will work? Is there an RFC where is it written?
Wherever you put the pepper on is a bicycle .
What I described in the article is dupe and has long been known?
And why did you keep silent about it? Somehow I have never met a comment on Habré in which you would warn about possible problems.
Oh yes, that's obvious.
Source: https://habr.com/ru/post/211645/
All Articles