- From: <bugzilla@jessica.w3.org>
- Date: Mon, 27 Jun 2011 08:14:12 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13067 Summary: Password hashing Product: HTML.next Version: unspecified Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: default AssignedTo: dave.null@w3.org ReportedBy: gunniboyh@web.de QAContact: public-html-bugzilla@w3.org CC: plh@w3.org, mike@w3.org I would like to propose a new feature for HTML: password hashing. In most web applications that allow users to register and log in, passwords are transmitted in plain text over the internet. This is a serious security flaw. So far, this security flaw can only be addressed by either using HTTPS (which is rarely used because certificates that are trusted by most user agents are costly) or using HTTP authentication (which is rarely used as well because it can not be used with a regular HTML form). Adding support for various password hashing schemes to HTML would probably help owners of web pages to provide their users more security without loss of comfort and hopefully help simple but effective security schemes to be deployed more widely. I will now present a more precise scheme: More attributes should be added to <input type="password"> tags: hash-algorithm: This is the actual algorithm used for hashing (such as md5 or sha1). salt : A salt that should be used before the password is hashed. hashing-scheme : This may be used to specify how the hash will be generated from the password before it is transmitted. For example, this may include how the password and the salt are combined before the hash is actually generated. one-time-salt: I will explain this attribute below. I will now present one such hashing-scheme: The salt and the clear text password are concatenated and hashed by the specified hash-algorithm. Then, the "one time salt" is prefixed to the result of the hash algorithm and the result is hashed again with the specified hash algorithm. The result may then be transmitted along with the form. This scheme will both protect the password from being transmitted in clear text and prevent simple replay attacks that might be possible if the "one time salt" would not be used. E.g., if the hash of the concatenation of salt and password were transmitted directly, any eavesdropper might later just replay that hash value and a web application could not distinguish between a request that was generated with the real password and a replay of a previous request. This scheme assumes, that the web application has access to the hashed concatenation of salt and password (without the one time salt applied). Under this assumption, the web application may generate arbitrary one time salts and compare the results of the hashing scheme when it receives a request. I am aware that HTML is meant for semantic markup and that it is questionable, if this proposal improves HTML's capabilities to provide such. However, this proposal is not meant to enhance those capabilites but to help simple but effective security schemes to be deployed more widely. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Monday, 27 June 2011 08:14:13 UTC