New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hashed and salted storage of token_auth #9457
Comments
An alternative option, without a need for an API change, could be using of a part of the transmitted
The verification procedure would be:
|
Implementation of
I'm not an expert in any way, so I may have mixed things up. |
Closing this as a duplicate of #6559 |
Authentication tokens have a similar level of confidentiality to passwords. Actually, currently, due to the coupling of the
token_auth
to passwords and their equal power in Piwik, itstoken_auth
have exactly the same level of confidentiality as passwords. Yet they are stored in plain text.The
token_auth
should be stored with the same rigorous hashing and salting as passwords. For the same reasons.Notes:
Similar report for strong hashing of passwords: Passwords: use better algorithm than md5 hash, use salts and maintain BC #5728. Similarly,
token_auth
handling should also use PHP'spassword_hash()
for hashing (it's a strong hash and handles salt automatically) andpassword_verify()
for value verification (it's safe against timing attacks - see Preventing timing attacks on authentication #9456). They require PHP 5 >= 5.5.0, which should be fine for Piwik 3.0 (see Drop support for PHP 5.4, require PHP 5.5 #8156). Otherwise, there is this: https://github.com/ircmaxell/password_compat.This might need an API change, requiring a user name ("login") to always be sent together with
token_auth
. (Otherwise, a "brute-forcing" of the user who thetoken_auth
belongs to would be needed. I.e.: hashing of the receivedtoken_auth
with the salt used for each of the users and checking if the result corresponds to any of them. But a DB query fortoken_auth
, no matter if hashed or not, could be unsafe against timing attacks - see Preventing timing attacks on authentication #9456. The authentication query should be for the user name ("login"), never fortoken_auth
. Just like with passwords.)This point refers to the fact that currently, in authentication cases without a provided user name (I haven't checked when this happens), the DB is queried using the (plain-text)
token_auth
in https://github.com/piwik/piwik/blob/2.16.0-b1/plugins/Login/Auth.php#L72, which calls https://github.com/piwik/piwik/blob/2.16.0-b1/plugins/UsersManager/Model.php#L173.The text was updated successfully, but these errors were encountered: