Security for updating a user password
583 views
Skip to first unread message
Phil Nadon
Feb 24, 2021, 1:22:07 PM2/24/21
to GAM for Google Workspace
Hello,
When digging further into how GAM sets a user's password, I realized that the Google API only accepts "SHA-1", "MD5", or "crypt" as hash functions for the user's password.
If generating a random password, depending on the platform it will use a different function.
- On Windows it will hash it using 5000 rounds of SHA-512, and otherwise it will simply run a platform-dependant version of "crypt".
- On MacOS, "crypt" only support DES which is highly insecure, and so passwords randomly generated on MacOS using GAM should not be considered secure (to my knowledge).
- On Linux, "crypt" defaults to a salted SHA-512 hash.
However, even with a salted SHA-512 hash being the most secure of the above, nowadays it is no longer recommended to hash passwords using SHA-512 and you should instead opt for something more reliable such as bcrypt or argon2.
Is this a limitation of the Google API, or is there a better method for ensuring that passwords are securely transmitted via the API call that GAM executes?
Ie. Is there something that can be done on the developer's end, or do we have no choice but to request that Google provide more secure methods for updating a user's password programmatically via the API?
Phil Nadon
Feb 24, 2021, 1:26:03 PM2/24/21
to GAM for Google Workspace
For context:
Google Admin SDK (which GAM relies on):
Section of code that randomly generates the password:
Function used to hash password:
- Any recommendation on the most secure practices for settings a user's password is appreciated!
Gabriel Clifton
Feb 24, 2021, 2:06:55 PM2/24/21
to google-ap...@googlegroups.com
I do not believe it is any API restriction and instead just what Google uses on the front end when setting the password whether through API, GAPS, or even through Admin Console. I can't find any documentation, but I believe after the initial setting of the password, it is further encrypted with a stronger encryption level.
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0a54dd3a-d195-44d7-bfef-05abbebc45f9n%40googlegroups.com.
Gabriel
Clifton | Network Administrator
Fort Stockton ISD | Technology Center
gabriel...@fsisd.net | http://www.fsisd.net
Office (432) 336-4055 ext 2
Fax (432) 336-4050
1204 W. Second St., Fort Stockton, TX 79735
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
— Ernest Hemingway
— Dr. Dre
Ross Scroggs
Feb 24, 2021, 2:11:26 PM2/24/21
to google-ap...@googlegroups.com
Gabriel,
Scroll down to Fields.
Roos
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJXDcnuR8f9iHD8gW5-j3eJOQeN0GugEM8N7KFDdzu6hm4ABjw%40mail.gmail.com.
Ross Scroggs
Jay Lee
Feb 24, 2021, 2:33:29 PM2/24/21
to google-ap...@googlegroups.com
A few points:
- It does look like there's an issue where MacOS doesn't support sha512 so it just returns the old unix crypt format. I'll see about patching that.
- GAM doesn't store these passwords, it only transmits them to Google servers via HTTPS. In general HTTPS is sufficient to protect the raw password (that's all your browser uses on user web login) but some customers must go through a corporate proxy/firewall that does man-in-the-middle HTTPS inspection. While that's a customer's choice to setup I did think it prudent to add another layer of protection (good security == layers), thus GAM hashing passwords by default. There are some arguments to be made for not hashing the password though. Unhashed passwords means Google's rules on password complexity will be applied and you can prompt user to change to a more secure passowrd after first login. In general there are tradeoffs to each approach.
- Again, GAM isn't storing passwords, its' transmitting them to Google servers. Google does their own hashing of the password on their end. See https://cloud.google.com/blog/products/g-suite/notifying-administrators-about-unhashed-password-storage the article is actually about an issue where the passwords were not being hashed which has long been fixed but the point is, Google hashes the password on their end.
Jay Lee
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS_oqCGRp1VhAu2T4-q22rz9St6SscX8ViF8rKm6juxrew%40mail.gmail.com.
Phil Nadon
Feb 24, 2021, 2:39:06 PM2/24/21
to GAM for Google Workspace
Thank you for the explanation, I believe out of the options provided by the Google API (and thus GAM), SHA-512 would be considered the most secure?
Jay Lee
Feb 24, 2021, 2:42:28 PM2/24/21
to google-ap...@googlegroups.com
Yes, it's the most secure hash method Google allows. It's also the method used by most current major Linux distributions out of box btw. Rounds is currently 5,000 I believe Google supports up to 10,000 rounds so we could increase that but 5k is the default and it seems unlikely a cracker could handle 5k but not 10k so diminishing returns there.
Jay Lee
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b0fa6b71-09c8-4965-9bf3-5c519d398233n%40googlegroups.com.
Phil Nadon
Feb 24, 2021, 3:04:31 PM2/24/21
to GAM for Google Workspace
Thank you very much!
Reply all
Reply to author
Forward
0 new messages