Table of Contents
The configuration XML encodes passwords and OTP seeds using hashes, this makes it extremely difficult to extract them from the config.
The user
section of the configuration has a password
field. You will note
that is it mostly a lot of hexadecimal data, the hash, as described below.
It is possible to put a new password into the configuration directly in the password
field and save the config.
It will be hashed automatically so when you access the configuration you will see the hashed version in the password
field.
However, this is not possible if you also have an otp-seed
defined, unless also setting a new
otp-seed
field or removing it. For this reason there is also a web page to allow a
user to change their password.
The FireBrick supports a number of hash functions for passwords, but on any successful login may change the config to use the current preferred password hash function. This allows FireBrick to move to more secure password hash functions in future whilst maintaining backward compatibility.
If making a configuration file independantly you can generate the hashes yourself in most cases. The supported hash codings are as follows. For salted hashes, the salt is the additional bytes after the number of bytes for the hash.
The preferred hash is SHA256 with 15 bytes of salt. However, this may change in the future to more robust password functions.
A hash function simply takes some data, and generates a hash from it - as a one-way process. This ensures that, given the hash, you cannot work out the original string (normally a password).
However, a particular string (e.g. password) always generates the same hash. As such it is possible for people to have huge tables of pre-calculated hashes for common passwords and dictionary words. This allows such (poor) passwords to simply be looked up from a hash.
There is also the problem that two people using the same password end up with the same hash, and so can see that the other person is using the same password.
To solve this, we use salt. Salt is simply a number of random bytes. These are appended to the end of the original data before making a hash. This means the hash is not just of a password, but of a password and a random string (the salt).
The salt is stored, along with the hash. This means it is possible to check a password by appending the salt and calculating the hash and checking it matches the stored hash.
The password hashes all have an option of salt. If making your own password we recommend the latest hash method and as much salt as allowed. The salt should be random.
The OTP seed is scrambled using a separate salt on the same password, else the encryption would simply be using the hash you see in the
password
field, which would not be very secure!