Programs that store a password as cleartext (unencrypted text data) risk exposure of the password in a variety of ways. Programs must prevent this information from being leaked. Although programs generally receive passwords from users as cleartext, this should be the last time the password is in this form.
An acceptable technique for limiting the exposure of passwords is the use of hash functions, which allow programs to indirectly compare an input password to the original without storing a cleartext or decryptable version of the password. This approach minimizes the exposure of the password without presenting any practical disadvantages.
Cryptographic Hash Functions
The value produced by a hash function is the hash value or message digest. Hash functions are computationally feasible functions whose inverses are computationally infeasible. In practice, a password can be encoded to a hash value, but decoding remains infeasible. The equality of the passwords can be tested through the equality of their hash values.
You should always append a salt to the password you are hashing. A salt is a randomly generated piece of data that is stored along with the hash value. The use of a salt helps prevent brute-force attacks against the hash value, provided the salt is long enough. Each password should have its own salt associated with it. If a single salt were used for more than one password, two users would be able to see whether their passwords are the same.
The choice of hash function and salt length presents a trade-off between security and performance. Increases in the time required to compute hash values raise the effort required for effective brute-force attacks, but make the program slower when must it validate a password. Increasing the length of the salt makes brute-force attacks more difficult, but requires additional storage space.
Java's MessageDigest class provides implementations of various cryptographic hash functions. Avoid defective functions such as MD5. Hash functions such as SHA-1 and SHA-2 are maintained by the NSA and are currently considered safe.
Noncompliant Code Example
This noncompliant code example encrypts and decrypts the password stored in credentials.pw.
public final class Password {
private void setPassword(byte[] pass) throws Exception {
bytes[] encrypted = encrypt(pass); //arbitrary encryption scheme
clearArray(pass);
saveBytes(encrypted,"password.bin"); //encrypted password to password.bin
}
private boolean checkPassword(byte[] pass) throws Exception {
boolean arrays_equal;
byte[] encrypted = loadBytes("password.bin"); //load the encrypted password
byte[] decrypted = decrypt(encrypted);
arrays_equal = Arrays.equal(decrypted, pass);
clearArray(decrypted);
clearArray(pass);
return arrays_equal;
}
private clearArray(byte[] a) {
//set all of the elements in a to zero
}
}
An attacker could potentially decrypt this file to discover the password. The attacker could be someone who knows or has figured out the encryption scheme being used by the program.
Noncompliant Code Example
This noncompliant code example implements the SHA-1 hash function through the MessageDigest class to compare hash values instead of cleartext strings.
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public final class Password {
private void setPassword(String pass) throws Exception {
byte[] salt = generateSalt(12);
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal = sha_1.digest((pass+salt).getBytes()); //encode the string and salt
saveBytes(salt, "salt.bin");
saveBytes(hashVal,"password.bin"); //save the hash value to credentials.bin
}
private boolean checkPassword(String pass) throws Exception {
byte[] salt = loadBytes("salt.bin");
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal1 = sha_1.digest((pass+salt).getBytes()); //encode the string and salt
byte[] hashVal2 = loadBytes("password.bin"); //load the hash value stored in password.bin
return Arrays.equals(hashVal1, hashVal2);
}
private byte[] generateSalt(int n) {
//Generate a random byte array of length n
}
}
Even when an attacker knows that the program stores passwords using SHA-1 and a 12-byte salt, she will be unable to retrieve the unencrypted password from password.bin and salt.bin.
Although this approach fixes the decryption problem from the previous noncompliant code example, at runtime this code may inadvertently store the passwords as cleartext. Java string objects are immutable and can be copied and internally stored by the Java Virtual Machine (JVM). Consequently, Java lacks a mechanism to securely erase a password once it has been stored in a String. See MSC63-JG. Limit the lifetime of sensitive data for more information.
Compliant Solution
This compliant solution addresses the problems from the previous noncompliant code example by using a byte array to store the password.
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public final class Password {
private void setPassword(byte[] pass) throws Exception {
byte[] salt = generateSalt(12);
byte[] input = appendArrays(pass, salt);
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal = sha_1.digest(input); //encode the string and salt
clearArray(pass);
clearArray(input);
saveBytes(salt, "salt.bin");
saveBytes(hashVal,"password.bin"); //save the hash value to credentials.pw
}
private boolean checkPassword(byte[] pass) throws Exception {
byte[] salt = loadBytes("salt.bin");
byte[] input = appendArrays(pass, salt);
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal1 = sha_1.digest(input); //encode the string and salt
clearArray(pass);
clearArray(input);
byte[] hashVal2 = loadBytes("credentials.pw"); //load the hash value stored in credentials.pw
return Arrays.equals(hashVal1, hashVal2);
}
private byte[] generateSalt(int n) {
//Generate a random byte array of length n
}
private byte[] appendArrays(byte[] a, byte[] b) {
//Return a new array of a appended to b
}
private void clearArray(byte[] a) {
//set all of the elements in a to zero
}
}
In both the setPassword() and checkPassword() methods, the cleartext representation of the password is erased immediately after is converted into a hash value. Consequently, attackers must work much harder to retrieve the cleartext password after the erasure. Providing truly guaranteed erasure is extremely challenging, likely to be platform-specific and may even be impossible due to the possible involvement of copying garbage collectors, dynamic paging, and other platform features that operate below the level of the Java Language. Note, however, that most other languages share these complications (with the possible exception of garbage collection).
Applicability
Passwords stored without a secure hash are exposed to malicious users. Violations of this guideline generally have a clear exploit associated with them.
Applications such as password managers may need to retrieve the original password in order to enter it into a third-party application. This is permitted, even though it violates the guidline. The password manager is accessed by a single user and always has the user's permission to store his passwords and to display those passwords on command. Consequently, the limit to safety and security is the user's competence rather than the program's operation.
Related Guidelines
"Insufficiently Protected Credentials [XYM]" | |
CWE ID 256, "Plaintext Storage of a Password" |