What someone could do if they have access to the application key of a laravel project?
What could be done?
Basically, they can decrypt and encrypt almost anything and your app will accept it as an input.
For example with your app key, someone can generate cookies that will log them in as any user of your app, without using any password.
If someone stole that key, best is to regenerate it as soon as possible.
However it'll render everything encrypted by your app invalid. So remember me token, cookies, and session will get invalidated and everyone will have to login again.
Also, if you use the Encrypter class in your app, remember that it'll not be able to decrypt successfully any previously encrypted thing anymore, so you'll have to migrate data by decrypting it using the old key, then re-encrypting it with the new one.
Also the most annoying part is that every password created with Hash:make will no longer be valid. But well, if the attacker has access to your APP key, he also has access to your DB credential, and so your full password database isn't safe anymore and you should force users to regenerate all of their passwords.
Related
a while back I worked on a program with a friend for which I needed to use the Gmail API. I generated a client_secret JSON and a credentials JSON. Now, neither of us needs to use that program, and I'd like to make sure that I've revoked access correctly so that neither the client_secret nor credentials can be used anymore. I went to the project in console.developers.google.com. I then went to the project, reset the secret, then deleted. Are there any more steps I need to take to make sure that no one has access to my account through client_secret or credentials? Thanks!
Deleting the secret or regenerating it should be more then enough to disable the client.
However if you want to be sure you can just delete the client itself or the full project.
I want to remake my Laravel application, but I'm keeping the same old DB. So I don't want users passwords to become invalid.
Do I need to copy the APP_KEY from my current app into the new one?
What else would I need to do to make sure my users won't have any trouble logging into the new App using their current passwords?
This is a common misconception.
Laravels passwords are hashed using Hash::make() or bcrypt(), neither of which use APP_KEY so it shouldn't affect it.
You shouldn't need to do anything, I sometimes have several test databases
which I switch between, and haven't had any problems.
The APP_KEY is actually used for encrypted cookies, including Session cookies
APP_KEY is used for encryption, not hashing, so your user passwords will not be affected.
What will be affected are encrypted session cookies. Changing APP_KEY will effectively cause all users to be logged out, and invalidate any existing session cookies. This is probably okay, but something worth paying attention to.
If you use encryption for any of your database data, you will also need to decrypt all of the existing data with the previous key and re-encrypt with the new key.
If you're using Laravel Passport and have long-lived access tokens, they may also become invalid and need to be re-issued.
I'm using DynamoDB to save my users and their passwords.
Now I currently make a request to get the user and his password from the database and I check on the clients side if the password was correct.
I've thought some more about it and you could probably see the password with a network-sniffer. But when I make a server-side validation, I would still have to upload the password to the server, so same effect.
I also thought about one-way hashes, which apparently aren't safe either.
Isn't there a better way to authenticate.
In my app, safety is an important aspect.
Can anyone help me?
I ended up using a SHA-256 Hash on the clients side and uploading the hashed password to the database.
I have an command line application (not rails) that needs the user to provide their username and password for the website the cli accesses.
I don't want to make the user enter their details for each and every command they execute.
How do I store the details without compromising security and storing the details without encryption? If I encrypt the password, where should I store the pass key so it is still secure?
I imagine an implementation similar to the way the Heroku gem works would be good.
UPDATE:
So I have gone ahead and implemented this in my application, but something doesn't feel quite right about the solution yet.
Prior to accessing the website for the first time, the user is prompted to enter their username and password. Following successful login, the user is asked whether to store the details for later. If yes, the password is encrypted using a key - however, as this is a ruby gem, the key is stored in the application in plain text.
Is there another way to do this. The file containing the username/password is now secure BUT the key to unlock it is stored in the application code.
On the update: no. If you need access to the plain text password, you can only obfuscate the password. You cannot safely store it. The key needs to be in plain, or the key that encrypts that key needs to be in plain, ad infinity. Can't be done.
I haven't had to tackle a login process before so this is new territory for me and all I seem to be finding on Google are conflicting methods of handling this process, so I was hoping someone could help clarify.
So far I have a salted SHA1 hash made from mixing username, password and my salt variable.
When the user logs in their credentials get hashed, then this hash gets sent to sql and if found comes back with a UserID (or something). So I know they are authenticated.
With that I can handle their session with session variables.
Is that right so-far?
Anyway, I wanted to have the option of "remember me" and was looking at storing something in a cookie but am not sure what to put in there as, as-far-as I am aware storing the hash would be pretty much the same as putting their username & password in plain text.
I'm confused, can anyone shed some light?
Thanks in advance
You are usually better off using the authentication methods provided by your platform than creating one yourself. There are a lot of non-obvious problems that you can easily leave yourself open to. Which platform are you using? Are you using a web framework?
General purpose hashes like SHA1 are inappropriate for password hashing as they are optimised to be very quick, when you want something that is very slow. For discussion of this, see How To Safely Store A Password.
Anyway, I wanted to have the option of "remember me" and was looking at storing something in a cookie but am not sure what to put in there as, as-far-as I am aware storing the hash would be pretty much the same as putting their username & password in plain text.
Hashes are designed to be one-way functions, so no, it isn't the same as putting their username and password in plain text. However if you do it that way, you'll have to create a way of letting somebody authenticate with the hash instead of their username and password, and that is the same as storing their username and password on the client (as far as you are concerned, anyway).
I like the fact that you have used salt for your hashing but I don't think it's necessary to use the username for hashing only password+salt should be enough. Specially it will inflict an overhead of rehashing if you want the option of changeable usernames for your system.
For remember me option, I don't think you should store any credentials at client side cookies. Only the session ID should be enough. If you want to make it really secure you should use client-side certificates that are issued by the server.
http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500
Your first login process is correct and up to todays security standards with the only exception that you may want to choose another hashing function over sha1.
Sha1 is very quick and therefore brute force attacks to crack a hash are faster. So if your hashes (database) and token (source code) get leaked, the passwords can be cracked.
One countermesure is to use a slower hashing function (see Jims answer for an article about that)
But the best of course would be not to leak your hashes in the first time.
A possibility for the remember me function is to let the user keep the session cookie for longer. For example Magento and Zend Auth does this.
This is however very ugly because you are likely to get hundrets of thousands of sessions stored on your servers, even for users that never return.
The far more elegant way is to store this information client side.
Sidenote: Of course you shouldnt put too many cookies on the client because they get transmitted with every page request. But a login cookie is a very valid case to do so. A good practice is to store the login cookie at the client side and populate the server session with data saved in a database at login which is marked in a session. This way you eliminiate continous database requests and have a good user data registry. Of course write has to be done to the database and session directly or better to the database and then somehow flushed to the application (full or incrementally).
Putting the hash in a client cookie isnt like "plaintext". However its ugly and awful and insecure on many levels.
There are some different approaches but they mostly involve some hashing again.
The most common and easy one is something like to put a cookie with user_id=john and user_token=HASH($userid.$appsecret) on the client. Or to store them as one in one cookie.
This is kinda secure but I prefer the following method:
Generate a string that holds:
userid ; user agent ; first two ip segments ; current timestamp ; your application secret token
Run it through a good hashing function and store a cookie at the users client that looks like
auth=userid;timestamp;hash-of-the-above
When the client logs in via cookie you re construct taht string from above but take the timestamp and user id from the cookie. Generate the hash and see if it matches. Then you have validated that it is the cookie you generated for that ip adress segment and this user agent at the specified time
Sidenote: first two ip segments rarely changes with dynamic isps. you can leave them away too, its for extra security.
What is the main advantage of thsi method?
The client or you can invalidate all login cookies by setting a timestamp. Only cookise that have been generated afterwards are accepted. You can also implement a timeout.
This is good if you want to "remote logout" form a public computer where you forgot to log out or something.
I think functionality is very important and with this method you dont have to keep track of single login cookies (like google does).
Hope this helps you.
You can scale this method to any level of security you like and adjust it to your needs.
your authentication is just fine. If you want to make it even more secure you could transmit the login information with a SSL encrypted connection so nobody can read what's going across the network.
The remember token is quite simple let's say you want a remember me function that is valid for 14 Days.
A stranger with no authenticated session comes to your site:
Check if there is a remember me token in a cookie
If yes, check if you can find this remember me token in your database and check if the "valid until" column is still valid (date comparison)
If you find a valid token you can set the user id and authenticate his session
If you don't find a valid token redirect the user to the login page if necessary
When the user fills out the login form and authenticates him sucessfully:
Generate a token using an appropriate hashing function. The token you hash could look like "[Timestamp]---[userpwd]" so it's (almost) definitely unique! Save the token and the date until the token is valid (+14 Days from now as example) to your database connected with the user's id. If there's an expired token, replace it because you don't need to store expired tokens.
If the user logs out by clicking the logout button or similar just delete the token record in your database and the user's cookie.
That's it!
If your platform (web server etc) supports HTTP digest authentication, i would strongly advise you to use it. It was designed by people who know more about security than either of us ever will. It doesn't send passwords over the network. It is supported by all modern web browsers, including mobile devices. If the browser has the password stored, it happens transparently during connection, giving you the 'remember me' functionality without needing to go anywhere near a cookie.
The only thing it doesn't do is let you use a nice form - the use will get a dialog box from their browser to log in.