Question About Password Systems

[Narphet]

Say a site has a log-in system on it. These are as far as I can tell the possible ways of implementing this:

1. Client sends password in cleartext, server compares it to stored passwords, which are also in cleartext.

2. Client sends password in cleartext, server hashes it and compares the hash to stored passwords, which are hashed.

3. Client hashes password before sending, server compares it to stored passwords, which are hashed.

And all of these are equally vulnerable. For the first two, you just intercept what the client sends, and there's your password. Just type it into the HTML form or whatever. The the third, again intercept what the client sends, just this time send it to the server directly so that the client-side pre-processing doesn't hash it a second time.

So what's the point of encrypting passwords?

[Goatboy]

There's really no perfectly secure system, even in theory. I mean I suppose you could claim a system is 100% safe, as long as it doesn't do anything, but let's be practical here. If it can be used in a legit way, it can be broken.

That said, just about all that security does is to make it harder for an attacker. This is why you see security in layers. You have to remember that an attacker only needs to find one hole, while a defender needs to protect against them all.

It's like why we have seatbelts and airbags. Saying people can still die when using them both is not a good reason to get rid of them altogether.

[Narphet]

But this doesn't make it harder to break in at all. The most secure system presented up there is #3, which only means that the attacker has to change the HTTP requests sent by the browser, which is trivial. So what other security "layers" are in place to prevent that?

[insomaniacal]

Well, you have to find a way to intercept what the client sends don't you? This isn't much of a problem if you're on the same network, but if you're not, it's already substantially more difficult.

[msbachman]

So what's the point of encrypting passwords?

If you really need something to be secure from prying eyes, you'll need to do something like TLS that encrypts everything. It's not then a mere matter of monitoring traffic, because each side negotiates a key for the other to encrypt traffic with, and only the destination (without some strange exploit) would be able to decrypt it.

So doing that, there's no hash or plaintext password visible at all to an attacker.

Otherwise, encrypting passwords can have the effect of not being as easily grepped for in network traffic. I think that altering traffic from containing any sort of key/value pair of the password/value would be a good idea just so anyone listening wouldn't immediately be tipped off to it were they to grep for 'password' on a dump of sniffed traffic. It's just basic obfuscation though and not real security.