Quantcast

Password strength checking - foiled by hashed password in auditor

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Password strength checking - foiled by hashed password in auditor

John P. Rouillard
Hi all:

David Hancock on the roundup-users list asked about verifying minimum
password strength checks server side in roundup.

    https://sourceforge.net/p/roundup/mailman/roundup-users/thread/C7A466B0-209D-4B91-836D-A56A78D11E2D%40arinc.com/#msg35630984

The suggestion was brought up to write an auditor on the user
class. However the password passed to the auditor is already hashed,
and the hash passes all password requirements 8-).

   https://sourceforge.net/p/roundup/mailman/roundup-users/thread/C9796144-9F18-407D-A875-E8D10377951A%40arinc.com/#msg35638393

Anybody got an idea of how we could validate the raw password in the
roundup code?

My initial thought was to somehow get it into the auditor as
<propname>_raw or something, but it looks like we have long since lost
access to the raw password by the time we get to that level in the
code.

Would it be posible to add a method to the hyperdb Password class:

   def validate (self, value):
       return value

that could be overridden in a per tracker basis (assuming a single
running roundup instance would have multiple trackers with different
validation requirements)?

Quips, comments, evasions, questions, or answers?

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Password strength checking - foiled by hashed password in auditor

Anthony Pankov

> My initial thought was to somehow get it into the auditor as
> <propname>_raw or something, but it looks like we have long since lost
> access to the raw password by the time we get to that level in the
> code.

Vivification of raw password in source code seems bad to me.

> Would it be posible to add a method to the hyperdb Password class:

>    def validate (self, value):
>        return value

> that could be overridden in a per tracker basis (assuming a single
> running roundup instance would have multiple trackers with different
> validation requirements)?

> Quips, comments, evasions, questions, or answers?

I   think   that   password  strength  verification  may  be done on a
browser side (via Javascript).  Is this way sufficient? Can we imagine an evil
hacker  who  try  to bypass strength verification and register himself
with a weak password?

--
Best regards,
 Anthony                          mailto:[hidden email]


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Password strength checking - foiled by hashed password in auditor

John P. Rouillard
Hi Anthony:

In message <[hidden email]>,
Anthony Pankov writes:
>> My initial thought was to somehow get it into the auditor as
>> <propname>_raw or something, but it looks like we have long since lost
>> access to the raw password by the time we get to that level in the
>> code.
>
>Vivification of raw password in source code seems bad to me.

Well it's the only place it can be enforced. I routinely run without
javascript turned on.


>I think that password  strength  verification  may  be done on a
>browser side (via Javascript).

That is what a few of us have proposed. But again if javascript is
turned off a simple password will not be rejected and the user will
have no idea.

>Is this way sufficient? Can we imagine an evil hacker who try to
>bypass strength verification and register himself with a weak password?

I think that is less of a concern than having users choose poor
passwords on a tracker that they may access without javascript enabled
in their browsers. Thus leaving the tracker (and the info stored in
the tracker) vulnerable.

I know my trackers are usable without javascript. I can use w3m to
annotate an issue and upload an attachment from a server 1/2 way
around the world.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

> My initial thought was to somehow get it into the auditor as
> <propname>_raw or something, but it looks like we have long since lost
> access to the raw password by the time we get to that level in the
> code.

Vivification of raw password in source code seems bad to me.

> Would it be posible to add a method to the hyperdb Password class:

>    def validate (self, value):
>        return value

> that could be overridden in a per tracker basis (assuming a single
> running roundup instance would have multiple trackers with different
> validation requirements)?

> Quips, comments, evasions, questions, or answers?

I   think   that   password  strength  verification  may  be done on a
browser side (via Javascript).  Is this way sufficient? Can we imagine an evil
hacker  who  try  to bypass strength verification and register himself
with a weak password?

--
Best regards,
 Anthony                          mailto:[hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Loading...