StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCan I use a hashed password as the secret for generating a hmac?
primarykey
Id
12519741
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
11
CommunityOwnedDate
CreationDate
2012-09-20T19:40:04.040
FavoriteCount
0
LastActivityDate
2012-09-20T19:41:25.310
LastEditDate
2012-09-20T19:41:25.310
LastEditorUserId
183528
OwnerUserId
1681337
ParentId
0
PostTypeId
1
Score
2
ViewCount
312
LastEditorDisplayName
text
Body
I think it would be very comfortable to use the user's password hash as the secret for generating a hmac. Why is OAuth and others using tokens and nonces? I think of something like this: Client enters a password in the ui. The application registers with the webservice using the hash of that password, which is stored on the server. Form now on that hash hasn't to be transmitted again. The client can always regenerate the secret by asking the user to enter the password and hashing it. Every message is signed with this hash, the server can look it up by username or guid and check if the sent mac is valid. A intruder on the server can get that hash, but doesn't know the users real password, anyway he could send valid request with that hash. But this is not likely to happen, the saved hashes could also be hashed again using a nonce. Anyway because the pwd-file will be on a client's server it should be obfuscated using e.g. base64 to avoid the file looking like {"password":"a4bd146hashhashhash"}. Most of all the real password of the user won't ever be transmitted. The request's will be secured with a timestamp/token against replay (I recognize the purpose of the token here). Sending a hash would be perfectly applicable for me because the client will never be a simple website with a tag e.g.. The webservice will be used in a ajax-based application and a java desktop application, both of them capable of hashing strings... What's wrong with that? It's so simple, more RESTFul than anything related to authentication, and i think yet effective. What am I missing? Greets, kruemel
Tags
<web-services><security><rest><authentication><hmac>
Title
Can I use a hashed password as the secret for generating a hmac?
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USrook
UserOwnerUserId
1. USthertweck
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POCan I use a hashed password as the secret for generating a hmac?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.