[midPoint] Storing passwords in Midpoint

Richard Frovarp richard.frovarp at ndsu.edu
Mon Apr 4 16:56:14 CEST 2016


The other option from an organizational perspective is to do #2 and 
severely limit the number of password stores you have. If everything 
ties back to one (or two) password stores, either through direct access 
(LDAP to AD for instance), or SAML (CAS, Shibboleth, ADFS, etc), then 
there is very little need to actually set real passwords upon account 
creation.

On 04/01/2016 01:21 PM, Radovan Semancik wrote:
> Hi,
>
> That's right. We store all passwords in encrypted form. However the key
> is NOT stored in the database. The key is in the keystore (which can be
> switched to HMS if necessary). So the password exposure is somehow limited.
>
> We need cleartext password to be able create new accounts. And we need
> permanent access to the cleartext because accounts may be created for a
> user any time (e.g. new role is requested and approved). As far as I
> know there are only three more-or-less practical ways how to solve this:
>
> 1: cleartext (or reversible encrypted) password storage. This is what we
> do now. Very convenient and very practical. But there is security risk.
>
> 2: Do not store passwords at all. When a new account is created notify
> user that there is a new account and it needs to be activated by setting
> a password. Then the user authenticates by his existing credentials
> (e.g. AD or LDAP) and sets the password for that new account. Forget the
> password right after it is set. This is more secure but not very
> user-friendly approach.
>
> 3: Store passwords hashed by all the hashing algorithms that all the
> connected resources need, regardless whether the user has an account or
> not. The use the hashed value when setting up new account, not a
> cleartext. This is theoretical option. It may be feasible for some
> resources. But it will not work for all cases because too many
> application interfaces require a cleartext password when creating new
> account. A variation is to always create accounts on all the resources
> for everybody, just disable the accounts. However, the question here is
> how to connect a new resource. That would require to force change of all
> the passwords for all the users.
>
> The options two and three have also additional drawbacks. E.g. they
> cannot be used to implement a policy which requires to use different
> passwords for different applications (e.g. different security levels).
> In that case theoretically midPoint can check that the password are
> different, but it cannot check if the difference is just one letter or
> there is fact substantial difference. So, all the options have
> advantages and disadvantages.
>
> Currently we support only option 1. This seems to be the common
> trade-off and the most popular method in IDM field. So we have started
> with that. I would love to implement option 2 as soon as possible if we
> can secure a funding for that. Option 3 may be also interesting, but I'm
> not sure how practical it can be.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
> On 04/01/2016 07:53 PM, Camilo Viecco1 wrote:
>> So why not use a temporary mechanism push the cleartext password
>> between components (memory/pipe/TLS channel).  Keeping the ALL
>> passwords in cleartext is an unnecessary risk, any plans to move away
>> from this?
>>
>> Camilo
>>
>> From: midPoint
>> <<mailto:midpoint-bounces at lists.evolveum.com>midpoint-bounces at lists.evolveum.com>
>> on behalf of Devin Rosenbauer <devin at identityworksllc.com
>> <mailto:devin at identityworksllc.com>>
>> Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com
>> <mailto:midpoint at lists.evolveum.com>>
>> Date: Friday, April 1, 2016 at 9:51 AM
>> To: midPoint General Discussion <midpoint at lists.evolveum.com
>> <mailto:midpoint at lists.evolveum.com>>
>> Subject: Re: [midPoint] Storing passwords in Midpoint
>>
>> Typically an identity manager needs access to the user's password in
>> cleartext so that it can be set on other systems, e.g. setting the
>> user's initial password on a new account, etc.
>>
>> On Fri, Apr 1, 2016 at 12:45 PM, Florin. Stingaciu
>> <<mailto:fstingaciu at mirantis.com>fstingaciu at mirantis.com> wrote:
>>
>>     Hello,
>>
>>     From my understanding passwords in Midpoint are encrypted using an
>>     256-bit AES key and then stored in the Midpoint DB. I was
>>     wondering if there is any sort of hash applied to password before
>>     it's encrypted. If not, is there a purpose for having access to
>>     the clear text password?
>>
>>     Thanks,
>>     -F
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> --
>> Devin Rosenbauer
>> Principal Consultant
>> Identity Works LLC
>> +1 585 210 3201
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>




More information about the midPoint mailing list