Reputation: 79
Ensure password format in a website
I'm currently developing an intranet website for a client and I'm facing a problem according to the passwords management. The users will have to be logged in to access the website. I will manage manually the creation of new users account. For example a manager will give me the list of all employees that he wants to give access to the website. I will create each user account with a generated password (a different one for every user) that will be valid for only a couple of days. On the first login, the user will have to change his password to another. The new password will have some requirement (i.e. length, uppercase letter, have a number in it, …). This is pretty usual stuff.
My problem is that since this application will work in a network (it's an intranet),I cannot validate the password on the client side (the client can disable Javascript, or the data can change on the network (i.e. man in the middle). Also, I don't think it is safe to send a clean password via the network, so I'm using SHA-1 to hash password on the client side before sending it to the network.
My problem is that since the server gets the password hashed, it has no way to validate the length or that it match the formatting requirements.
I'm working with C# and the MVC 5 framework, but my problem is more a design problem, than a programming one.
Sorry for the long intro and thank you very much for the answers
Regards
Pierre
Upvotes: 0
Views: 65
Answers (1)
Reputation: 165193
Also, I don't think it is safe to send a clean password via the network, so I'm using SHA-1 to hash password on the client side before sending it to the network.
This is not necessary.
Let's look at the potential attack vectors:
Packet Sniffing (eavesdropper)
An attacker who can view the network traffic can simply view the SHA-1 over the wire. Since you're not salting it, you have no replay protection. Meaning that the attacker can just re-use the SHA-1 result and authenticate.
Using SSL alone (no client-side hash) will combat this attack.
Man In The Middle
An attacker who can MITM the content can inject his own code to sniff the password prior to hashing.
Using SSL alone (no client-side hash) will combat this attack.
Server-Side Attacker
If someone can get code onto your server, you're screwed anyway.
So in short, just use SSL. No need to "pre-hash"...
Upvotes: 1
Related Questions
- Password protecting web page
- HTML password pattern validation
- Enforcing Password Requirements
- A set of valid characters for web site passwords
- Password Management : Hard coded password in html
- checking password format
- how can we validate a password as css
- What is a set of sensible requirements on passwords?
- Password validation
- Password protect a simple web site