Plain Stupid

Revision as of 18:52, 20 December 2014 by Zash (talk | contribs) (>4k rounds of HMAC, which involves applying the hash function twice, so >8k hash iterations ;))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

What is this?

Plain Stupid is a campaign to ensure all your XMPP passwords are stored on XMPP servers is a securely hashed manner.

What does this mean?

A hash is a one-way function. Given your password, the server can match it, but the server doesn't have your password, and it is quite hard to recover the it from the data the server has. It's a bit like a fingerprint - you can match a person's fingerprint, but just given the fingerprint, you need to check people until you find the right person.

If a server gets hacked, we want the hacker to only have some unusable hashes, and not have the ability to get your password (and log in as you).

After all, your dog's name should remain a secret. ;-)

Why do I need to do anything?

Your IM client logs into an XMPP server in one of a number of ways, all part of a framework called SASL. The different ways are called "SASL Mechanisms". The easiest one is PLAIN, which just sends your username and password - this works with hashed passwords, but it means your password zooms about the network as plaintext, and this is bad.

Old IM clients use a mechanism called "DIGEST-MD5", which hashes the passwords while they're on the network, but doesn't really work with hashed passwords - also it's using MD5, which is a really old hash that people have mostly broken. For these and other reasons it's been formally obsoleted by the IETF.

Newer IM clients (and servers!) use SCRAM. SCRAM can work with hashed passwords, is simpler to do, and has other improved security features.

You want to be using a client that does SCRAM, or - if that's not possible - does PLAIN over TLS.

Questions for technical people:

Hey, DIGEST-MD5 can use an intermediate hash and ...

Yes, but:

  • DIGEST-MD5 has been declared Historical, and you shouldn't be using it anymore. Bad things happen when you use unmaintained security protocols.
  • Actually, that intermediate hash is a plaintext equivalent, meaning that an attacker can just use that to log in as you anyway.
  • And the intermediate hash is just one round of MD5. Really, that's not hard.

What hashes does SCRAM use?

SCRAM is a family of mechanisms, and can use either SHA-1 or SHA-512, though the latter is only an Internet Draft, not yet an RFC.

It also uses channel binding, as a way of detecting man-in-the-middle attacks on TLS.

The server stores a string made from repeatedly hashing the password over 8000 times. An attacker can still break this by trying every password, but it takes much, much longer than cracking a DIGEST-MD5 intermediate hash.

What about PLAIN?

PLAIN will work with SCRAM-hashed stores, but it'll also work with almost every password store, from plaintext to Active Directory. So it's good to have a an IM client that supports PLAIN, but you're then sending your password in plaintext on the "wire" - a rogue server, or just bad debugging logs, could leak your password easily.