Security Auditors asking to salt-hash the password field in client side during login attempt
Hi,
Security Auditors asking to salt-hash the Umbraco backoffice password field in client side during login attempt as they are saying that the clear-text password should not be sent over a network even if we are allowing SSL/TLS connections only.
Is'nt the whole purpose of using SSL certificates to encrypt such details like passwords or any sensitive data to encrypt and prevent malicious activity?
this does NOT improve the security of your application only SSL/TLS does that. It is just as easy to intercept a hashed password as a plaintext one, they won't be able to steal the password itself (to try on other systems), but would still be able to login to yours by sending the stolen hashed password.
Hi,
First of all thank you for replying and Yes I understand what you are saying. I am already using SSL/TLS certificates but this security audit team doesn't seem to understand I tried explaining them everything but they want me to customize the Umbraco CMS.
@RyanW yes the passwords are hashed before it is saved in the database but the Security team is talking about hashing passwords in client side using new salt generated in the server for every login attempt which even I believe is not necessary as we are already using SSL/TLS certificates.
Security Auditors asking to salt-hash the password field in client side during login attempt
Hi, Security Auditors asking to salt-hash the Umbraco backoffice password field in client side during login attempt as they are saying that the clear-text password should not be sent over a network even if we are allowing SSL/TLS connections only. Is'nt the whole purpose of using SSL certificates to encrypt such details like passwords or any sensitive data to encrypt and prevent malicious activity?
Can anybody help me? Security Auditors won't allow me to go live without salt-hash password field during Login attempt
this does NOT improve the security of your application only SSL/TLS does that. It is just as easy to intercept a hashed password as a plaintext one, they won't be able to steal the password itself (to try on other systems), but would still be able to login to yours by sending the stolen hashed password.
Hi, First of all thank you for replying and Yes I understand what you are saying. I am already using SSL/TLS certificates but this security audit team doesn't seem to understand I tried explaining them everything but they want me to customize the Umbraco CMS.
Not a very good security team then :)
There is no benefit to be gained from hashing the password client side if you are using SSL.
Unless i'm the one mistaken, I think your security team are misinformed. By default, passwords are already hashed.
UmbracoMembershipProvider & UsersMembershipProvider in your webconfig have a setting for the password format.
You can choose between Clear, Hashed and Encrypted. I believe it's salt-hashed using a salt specific to the machine too.
@RyanW yes the passwords are hashed before it is saved in the database but the Security team is talking about hashing passwords in client side using new salt generated in the server for every login attempt which even I believe is not necessary as we are already using SSL/TLS certificates.
is working on a reply...