views:

513

answers:

3

I have a Django-based site (not yet launched, so there are no real users) using plain django.contrib.auth, and want to store passwords as plain-text, not salted SHA-1 hashes.

The question is what's the best approach to do this, hopefully, without patching (or monkey-patching) Django source code?

NOTE: I perfectly know this is certainly less secure. Plaintext is required to perform challenge-response auth, like CHAP for PPTP VPN, DIGEST-MD5 for IMAP4 and HTTP Digest for WebDAV-based file storage. So, I'm trading DB-level security with connection-level security.

Of course, I'm considering educating and encouraging users on using X.509 certificates (and not having any passwords), but this is not so easy.

Reversibly encrypting (obfuscating) passwords, and using some sort column-level permissions so the password will be INSERTable/UPDATEable, but not SELECTable by the web user (only accessible for some custom check function, like SELECT * FROM users WHERE 'somesha1hash' = USER_HMAC(id, 'salt')) so the passwords wont be "just there" is a good idea and I'll try to do it. Suggestions on securing plaintext data are warmly welcomed, but what I mostly want to hear is how to hack the way passwords are stored.

+5  A: 

Don't do this. It violates basic security principles. Better not have password at all than doing this.

Regarding your updated question: store those external access password encrypted in a seperate table (they may not all be the same, anyway). User user's password to generated salted key for this encryption. Then, wenn she logs in, you app may decrypt and use those keys.

This very hard indeed to get right. Good luck!

Ber
Thank you for suggestion! Unfortunately, this requires user to log in onto website first, then temporarily keep the decryption key somewhere to pass it to a RADIUS server or POP3/IMAPd, and only then PPTP connections will be possible, but just for some time. And users will have to remember two passwords instead of one. Sounds quite hard. I'm obviously thinking about promoting X.509/TLS auth, but unfortunately a lot of users are too used to login-password scheme and just won't grasp public-key concept too easily.
drdaeman
@drdaeman, you are already making your users remember multiple passwords, because they can't reuse the one you're storing in cleartext.
Iceman
+1  A: 

Why?

Trying to make a quality framework like Django do the wrong thing, on purpose, may require a certain amount of hair-pulling.

Justice
+5  A: 

In Django, it's not that hard: you simply have to write an authentication backend, that will authenticate users against password stored in plaintext.

That said, you should never store passwords in plaintext.
The main point is that people tend to use the same password over and over again and therefore, using plaintext in your site you put your users at risks for an attacker to get to their bank account.
Jeff Atwood wrote a nice post, about this topic, You're Probably Storing Passwords Incorrectly; I suggest you reading it, because it will explain issues about plaintext in passwords in a much better way than me.
At least, you should encourage your users to use a different password from their "secure" ones; for instance, you could simply generate new random passwords, even if this approach has its own limitations, too.

Another approach, that could be much more secure: write your authentication backend, that will validate against (for instance) the WebDAV storage. You do not store the passwords anywhere in your system - you simply pass them through. I do not know if it may work in your case (especially if you have to authenticate against several sources) but at least you can give it a try.

Roberto Liffredo
Thank you very much. Shame on me, I did't thought about it this way.
drdaeman