back to article Why the long name? Okta discloses auth bypass bug affecting 52-character usernames

In potentially bad news for those with long names and/or employers with verbose domain names, Okta spotted a security hole that could have allowed crims to pass Okta AD/LDAP Delegated Authentication (DelAuth) using only a username. But why is that bad news for those with long usernames? Well, it's because the bug could be …

  1. sitta_europea Silver badge

    "... Yan Zhu said ..."

    This browser is no longer supported. Please switch to a supported browser...

    1. DS999 Silver badge

      What browser are you using? It worked for me on Firefox/Linux.

      Though if Twitter is going to start limiting support for browsers it is probably time to just directly quote the entire thing and not link to the site at all. And for people who distribute information via that platform to consider switching to Threads or Substack.

  2. SVD_NL Silver badge

    I wonder...

    ...how many Okta customers don't have MFA implemented.

    I'm filing this under "Reasons why passwords suck and you shouldn't rely on them", funny bug but no big deal at the end of the day.

    1. Doctor Syntax Silver badge

      Re: I wonder...

      File it instead under "Reasons why email addresses are crap user IDs". Two other reasons are:

      1. Email addresses are likely to be widely known. If I email people as fred@example.com then anyone who I've emailed, or has seen a forwarded email with that address can guess that that's my login on example.com's systems and possibly at other online sites then part of their work is done for them.

      2. If I use fred@example com because example.com is an email provider, or even worse, an ISP, I'm stuck with them however I might wish to migrate because it's going to be a nightmare trying to change user IDs with every service where I've used that; it's even going to be a nightmare trying to remember all the places where I might have to change it.

      1. doublelayer Silver badge

        Re: I wonder...

        Neither of which is very important because:

        1. The email address is easily guessed: for most users, the username they pick is not going to be any harder to guess, and it's likely it will be the same one they use on any other site that demands one. For anyone who wants to have unique usernames, they can stick something on the end, fred+randomstring@example.com, and then it's unique again and still sends emails to the right place.

        2. Almost every service is going to have an email anyway, they're just going to have a separate username. You still need to update that email any time you decide to stop having the previous email, because it's going to be used for notifications, auth checks, and various other important things. That is a good reason to switch all accounts whenever you know you're losing an email and not to rely on an email you could easily lose by changing ISP.

      2. sabroni Silver badge
        Happy

        Re: Reasons why email addresses are crap user IDs

        Failing when a username is longer than 51 characters is the problem here. Moaning about the use of email addresses as user ids misses the point. If it's supposed to support names longer than 51 characters it should have been tested with them.

        Email addresses are often bad user ids but if your system only supports names of 50 characters do some basic validation on your inputs before you let people in.

  3. Henry 8

    Double hashing?

    > Passing the input through the SHA-256 algorithm can mitigate this, she said.

    Unless your sha256'ed password happens to end up starting with a null, in which case you're in for a world of pain : https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html

    Summary: your bcrypt implementation perhaps uses null-terminated strings to know when to stop, as is traditional. Hashing algorithims like sha256 can end up returning a raw byte string, and so a sha256 hash might end up starting with a null byte. Thus, re-hashing the hash might mean you're really calling bcrypt(\0MySuperSecretPasswordHash) might be functionally equivalent to bcrypt(\0MyTotallyDifferentPasswordHash), or indeed just bcrypt(\0)

    1. Claptrap314 Silver badge
      FAIL

      Re: Double hashing?

      I guess I should have dug in to bcrypt when I notices the mind-boggling character limit two and a half years ago. \o/

      Okay, so here's the fix: sha256 has 32 byte. Take the output of that and run it through a Base64 encoder. That will have 44 characters. Run that through bcrypt.

  4. Missing Semicolon Silver badge
    Boffin

    Dumb hash implementation

    Sounds like the hash is made with

    generate_bcrypt(username + password)

    Had it been done with

    generate_bcrypt(password + username)

    everthing would have been fine. Passwords are almost never 52 characters long, and even if the username is truncated, the most changeable bit (the name part) would survive the longest.

    1. hayzoos

      Re: Dumb hash implementation

      I routinely use passwords longer than 52 characters, whenever they are not limited to less. Same goes for usernames. Both are randomly generated and stored in a password manager. I also use TOTP or U2F token if supported. My password manager master password is longer than 52 characters.

      So, OKTA would have likely trashed my attempts to be more secure than average. Nice, NOT.

    2. CowHorseFrog Silver badge

      Re: Dumb hash implementation

      This entire problem was caused by people making assumptions, the saying assumption smake an ass out of you me has never been more true.

  5. loops

    The most interesting part of this was the revelation (on Xittier) that Cloudflare have dropped Okta and have developed their own identity service.

  6. Bebu sa Ware
    Windows

    Work Experience Cryptography

    Some kid from the local Comprehensive on work experience, given an old edition of Bruce Schneier's Applied Cryptography* and told to cobble together some password hashing code.

    Only reason this is farfetched is that arguably the kid would have done a better job. :)

    Given Okta, and fellow travellers in this line of snake oil, literally hold the keys if a good many kingdoms one would have hoped, even expected, the critical code would have been subjected to some very rigorous scrutiny.

    * curiously bcrypt() is based on blowfish which was devised by Schneier in the early 1990s.The scary bit is that bcrypt passphrases are constrained to [8..56] characters which given the vulnerability suggests how Okta were (mis)using bcrypt.

  7. CowHorseFrog Silver badge

    One has too wonder why nobody wrote a few unit tests for one of the most important parts of the system integrity.. eg tests for user + password combos from small to 100 chars or whate er the system limit for u/p in octa is.

    Its also sad that bcrypt allows inputs greater than the hash length of 52. It shoudl force the callers to truncate their input to 52 chars, so they are actively aware of this hard limit instead of just "silently continuing".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like