Password hashing question
Mally Mclane
Following on from my question last week, maybe a question for one of
the resident Google employees :)
We are intending to set passwords through the Google Apps Provisioning
API, sending (probably) the SHA-1 hash. We've been asked by the
University's security officer to clarify whether Google stores the
hash that we send, or whether it has further "salting"/encryption
applied beforehand?
Mally
Michael Manoochehri
Mally Mclane
Michael,
Again, thankyou!
> You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/Fp0d9GT8isIJ.
> To post to this group, send email to google-app...@googlegroups.com.
> To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
>
Mally Mclane
> No, we don't store the exact cryptographically hashed password you provide
> when creating or updating a user. The value we end up storing does use
> additional salting, as well as other one way transformations to provide a
> very secure result.
Further to this.. do you have any plans to allow customers to supply
hashes in any stronger alternatives to SHA-1? Eg SHA-2, or SHA-3 when
the winner of the the NIST hash function competition is announced?
Mally