Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The "password" auth system stores password as plaintext! #371

Open
crazyscientist opened this issue Jan 31, 2023 · 4 comments
Open

The "password" auth system stores password as plaintext! #371

crazyscientist opened this issue Jan 31, 2023 · 4 comments

Comments

@crazyscientist
Copy link

A comment in #222 gives instructions on how to create a user for local authentication (aka. password auth system). This instruction is shared in #244. Also, #268 encourages people to use the password auth system.

There is just one problem: The password is stored as plaintext in the database.

Example:

>>> from helios_auth.models import User
>>> u = User.objects.create(user_type='password',user_id='nemo@example.com', info={"name": "Andreas", "password": "my-secret-password"}, admin_p=True)
>>> u.user_id, u.info
('nemo@example.com', {'name': 'Andreas', 'password': 'my-secret-password'})
@benadida
Copy link
Owner

Yes, in plaintext, by design. I know this sounds scary at first, but consider the following:

  • the password is randomly generated by Helios, not selected by the user, so it's not going to be reused anywhere else.
  • it's per election, so it's valid only for casting a single vote.
  • it has to be sent to the user by email.

Put all of those together, and there's little value and a good bit of cost to hashing/bcrypting these passwords.

If they were broad-purpose user-selected passwords, that would be a very different story.

@crazyscientist
Copy link
Author

Thanks for the quick reply.

Having spent only a few hours with the UI and source code I have noticed two different "user" models:

  • Voter, which also stores a plaintext password and seems to be the model you are referring to.
  • User, which is the model used for admins and election organizers.

For the Voter model, which is used for authentication during the voting process, your design choices make perfect sense to me.

But the password stored in the User model, which is used for the log in of admins and election organizers, is not a one-time password. Storing it as plaintext might be considered a bit risky.

@benadida
Copy link
Owner

Hi @crazyscientist you're right about where it's stored, but to be clear password-type users are never election organizers / admins. I agree with you that, if they were, that would be a more problematic design.

@crazyscientist
Copy link
Author

password-type users are never election organizers / admins

While this is true for the publicly available service, which only offers Google and GitHub, for a self-hosted server this might not be true. It only takes two env. variables to force the server to use password-type users.

PS: Sorry for dragging you into this discussion. My original intent was only to share my discovery with people inclined to host their own service and disable 3rd party authentication services.

@crazyscientist crazyscientist mentioned this issue Feb 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benadida @crazyscientist