A password-checking secret backend.

[tveastman]

This is an idea for a username/password storage backend for Vault, specifically for authentication by another service (such as a web-app).

The idea would be to reduce the chance of password DB dumps or leaks by providing only two possible operations:

• Set a username/password pair.
• Check a username/password pair.

The key point is there there would be no mechanism for ever retrieving the encrypted stored password, and especially not for retrieving all of them at once (as they are commonly compromised on web applications and online services.

This idea grew out of an exchange I had with Dan Kaminsky on twitter a while ago [1], but it only just occurred to me that perhaps Vault would be a good platform for implementing a system like this. If I understand correctly, there are already features in vault for storing data in Vault that is never again directly retrievable (such as the CA secret key in the PKI backend).

If there was a plugin system, I think I'd have a crack at writing something myself. I don't speak Go (yet) though, and I'm interested in your thoughts.

Cheers!

[1] https://twitter.com/dakami/status/764694476476387328

[jefferai]

Hi @tveastman ,

This already exists -- check the userpass backend. Successful auth gives a Vault token but it could be restricted to not have any policies configured and a super short lifetime, so that the net effect is a simple password check that is true or false based on the presence of a returned token.