[midPoint] Storing passwords in Midpoint

Radovan Semancik radovan.semancik at evolveum.com
Fri Apr 1 20:21:34 CEST 2016 

Hi,

That's right. We store all passwords in encrypted form. However the key 
is NOT stored in the database. The key is in the keystore (which can be 
switched to HMS if necessary). So the password exposure is somehow limited.

We need cleartext password to be able create new accounts. And we need 
permanent access to the cleartext because accounts may be created for a 
user any time (e.g. new role is requested and approved). As far as I 
know there are only three more-or-less practical ways how to solve this:

1: cleartext (or reversible encrypted) password storage. This is what we 
do now. Very convenient and very practical. But there is security risk.

2: Do not store passwords at all. When a new account is created notify 
user that there is a new account and it needs to be activated by setting 
a password. Then the user authenticates by his existing credentials 
(e.g. AD or LDAP) and sets the password for that new account. Forget the 
password right after it is set. This is more secure but not very 
user-friendly approach.

3: Store passwords hashed by all the hashing algorithms that all the 
connected resources need, regardless whether the user has an account or 
not. The use the hashed value when setting up new account, not a 
cleartext. This is theoretical option. It may be feasible for some 
resources. But it will not work for all cases because too many 
application interfaces require a cleartext password when creating new 
account. A variation is to always create accounts on all the resources 
for everybody, just disable the accounts. However, the question here is 
how to connect a new resource. That would require to force change of all 
the passwords for all the users.

The options two and three have also additional drawbacks. E.g. they 
cannot be used to implement a policy which requires to use different 
passwords for different applications (e.g. different security levels). 
In that case theoretically midPoint can check that the password are 
different, but it cannot check if the difference is just one letter or 
there is fact substantial difference. So, all the options have 
advantages and disadvantages.

Currently we support only option 1. This seems to be the common 
trade-off and the most popular method in IDM field. So we have started 
with that. I would love to implement option 2 as soon as possible if we 
can secure a funding for that. Option 3 may be also interesting, but I'm 
not sure how practical it can be.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 04/01/2016 07:53 PM, Camilo Viecco1 wrote:
> So why not use a temporary mechanism push the cleartext password 
> between components (memory/pipe/TLS channel).  Keeping the ALL 
> passwords in cleartext is an unnecessary risk, any plans to move away 
> from this?
>
> Camilo
>
> From: midPoint <midpoint-bounces at lists.evolveum.com 
> <mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Devin 
> Rosenbauer <devin at identityworksllc.com 
> <mailto:devin at identityworksllc.com>>
> Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com 
> <mailto:midpoint at lists.evolveum.com>>
> Date: Friday, April 1, 2016 at 9:51 AM
> To: midPoint General Discussion <midpoint at lists.evolveum.com 
> <mailto:midpoint at lists.evolveum.com>>
> Subject: Re: [midPoint] Storing passwords in Midpoint
>
> Typically an identity manager needs access to the user's password in 
> cleartext so that it can be set on other systems, e.g. setting the 
> user's initial password on a new account, etc.
>
> On Fri, Apr 1, 2016 at 12:45 PM, Florin. Stingaciu 
> <fstingaciu at mirantis.com <mailto:fstingaciu at mirantis.com>> wrote:
>
>     Hello,
>
>     From my understanding passwords in Midpoint are encrypted using an
>     256-bit AES key and then stored in the Midpoint DB. I was
>     wondering if there is any sort of hash applied to password before
>     it's encrypted. If not, is there a purpose for having access to
>     the clear text password?
>
>     Thanks,
>     -F
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> -- 
> Devin Rosenbauer
> Principal Consultant
> Identity Works LLC
> +1 585 210 3201
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160401/11715055/attachment.htm>

More information about the midPoint mailing list