Passwords and Security Information
How does ADAM store passwords?
ADAM stores passwords in its database using a one-way salted hash algorithm.
- Because it is a one-way algorithm, it is not possible to determine what your original password was.
- Because it is “salted”, even if two or more people do have the same password, someone looking at the database would see different hash values and not know.
How can you tell if I give you the right password?
Very simply, we perform the same algorithm on the password you provide when you log in to the system and see if we end up with the same hash. If they match, then you must have provided the correct password. If they don’t, then you gave an incorrect password.
As an analogy: how could you tell if someone used the same ingredients to make two different cakes? Once the cakes are baked (baking is the one-way operation in this scenario), you can’t see the ingredients any more. However, a skillful taster will be able to compare the flavours of the two cakes to see if they taste exactly the same.
Is my password ever written down or stored anywhere?
Never in anything that could be considered permanent storage.
To be clear, when you type in your password, your computer encrypts the login request and sends that to the ADAM server which decrypts it into memory. The password is then checked against your account (see one-way hashing above) for validity and, if it hasn’t already been checked before, ADAM will check your password against the haveibeenpwned.com password service which checks passwords against a database of known breached passwords.
In the process of checking your password, ADAM stores a SHA-1 hash of your password in the database until such time as the password is checked. SHA-1 hashing is a common, secure, but unsalted mechanism of one-way hashing a password. This hash is required by the haveibeenpwned.com service and is used solely for that reason. The checks happen every 5 minutes. The storage space is located entirely in temporary memory and is not written to disk. The data for password checks is not backed up.
ADAM tells me there is a problem with my password. Why?
When you log in to ADAM with a new password, ADAM will check your password against the haveibeenpwned.com database of over 500 million compromised passwords. If it discovers that the password has been used before, it records how many times it has been used. We’re hoping it isn’t there at all!
When you visit your landing page, if the password has been used before, ADAM will display a warning similar to this one:
I login to ADAM with my network password. Must I still change it?
The fact remains that if you’ve chosen a weak password, that password may make it easier for hackers to compromise the security of the ADAM database by simply logging in with your details and getting access to everything that you can see.
Some schools have ADAM login by quering the password with their network server instead of having ADAM manage a separate password for them. In these instances, ADAM will still check the quality of your password but it can’t give you the opportunity to change it.
In these instances, you should update your network password. When you next log in to ADAM, your new password will be checked.
Two Factor Authentication
What is Two Factor Authentication?
Two Factor Authentication (or 2FA) is a more secure mechanism that relies on a second one-time PIN to be entered as part of your login. You have possibly used something similar with your online banking.
ADAM makes use of a time-based one-time PIN (TOTP) which generates a six digit number based on the time of the login. The six digit number is unique for each user, each time they request it. It is calculated with some fairly fancy mathematics which makes it difficult to reverse engineer and thus for anyone else to guess.
Currently staff members can set up 2FA for their accounts.
Enabling Two Factor Authentication
ADAM is automatically configured to allow any staff member to set up Two Factor Authentication on their accounts. Note that 2FA requires a secret value to be set in the Site Settings which it uses to encrypt the 2FA secrets that ADAM needs to generate each user’s one-time PIN.
If you change this secret, which is generated randomly, all existing 2FA keys will be invalidated and users will no longer be able to access your ADAM server.
To make use of 2FA, the user must have a compatible time-base one-time PIN generator. Two popular examples of these are Google Authenticator and Authy. Both of these apps are available for Android and iOS devices. Users of 1Password can also have their TOTPs generated from within that service also.
To enable 2FA, a user needs to navigate to Staff → Security Administration → Manage Two Factor Authentication.
ADAM will automatically recognise whether the user has been signed up for 2FA or not. For a user that has not been signed up, they will be presented with a QR Code and be asked to supply a confirmation code.
The QR code must be scanned by the TOTP app. In so doing, the app will begin to generate one-time PIN numbers. Here shown with the Google Authenticator app, available on both Android and iOS:
The OTP is then shown on the screen and must be correctly confirmed in ADAM. Two Factor Authentication is only activated if the correct Confirmation Code is provided.
If Two Factor Authentication is confirmed, ADAM will show the following screen:
If the confirmation code was entered incorrectly, ADAM will show the following error:
In this instance, check the OTP again and re-enter it. The QR code should not change between attempts, so it shouldn’t be necessary to rescan the barcode.
Removing Two Factor Authentication
If a user is enrolled for Two Factor Authentication, they can remove 2FA authentication by navigating to Staff → Security Administration → Manage Two Factor Authentication and then entering their password on this screen and then clicking on the Remove Two Factor Authentication.
Note that if 2FA is reinstated by a user after being removed, their app will have to be updated with a new QR Code. ADAM does not allow a previous code to be used. The code should be removed from the 2FA app when 2FA is disabled from the account.
Troubleshooting 2FA and OTPs
The most common issues arise from the fact that the OTP is time-based.
If, for example, there is a delay in entering the OTP, the OTP may expire. Although the OTP changes every 30 seconds, ADAM will allow an OTP to be used for up to another 60 seconds after it disappears from the app. This is to help offset the any potential differences in clocks between the phone and the server.
Because the OTPs are time-based, it is crucial that the server and the phone both have accurate time. Most phones are set via their GPS chips. Servers should be synchronised to an internet time server and be configured with the correct timezone.
Storage of 2FA Secrets
The 2FA secrets are stored in encrypted format in the database. The decryption key, however, is also stored in the database, in the Site Settings. For increased security, the 2FA secret should be removed from the Site Settings (blanked out, ideally) and stored in your ADAM configuration file.