Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110780
interpreted = N
texte = --Apple-Mail=_9F99BBBA-B460-483E-A436-300EB313A8AB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Instead of using cart you could do something like this if you want = predictability [MATH]{[DATE]}[/MATH][MATH]{[TIME]}[/MATH][RANDOM][RANDOM][RANDOM] On 03/10/2013, at 7:27 AM, Tom Duke wrote: > Dan, >=20 > Hi - thanks for your feedback - it's definitely helpful. =20 >=20 > One initial question re: your 256 char seed, I thought (from the docs) = that the seed length was limited to eight characters?=20 >=20 > One idea I'm thinking through, which I pretty sure was mentioned on = the list before, is to include a client specific seed and other things = such as API keys in an encrypted template. Maybe set up a few custom = functions on the template so the seed could never be exposed as a = variable even if a hacker got access to the source code. >=20 > A difficulty I have though is that I can't document to a client how = [encrypt] and [cart] work. I use [encrypt] for storing passwords, and = [cart] for generating session cookies. =20 >=20 > While I can understand that WebDNA may not want to divulge how these = tags work, it leaves me with a situation where all I can say to a client = is 'trust us'. I can't state the level of predictability of [cart], or = the levels of cryptography used in [encrypt].=20 >=20 > - Tom >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_9F99BBBA-B460-483E-A436-300EB313A8AB Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii Instead of using cart you could do something like this if you want predictability

[MATH]{[DATE]}[/MATH][MATH]{[TIME]}[/MATH][RANDOM][RANDOM][RANDOM]


On 03/10/2013, at 7:27 AM, Tom Duke <tom@revolutionaries.ie> wrote:

Dan,

Hi - thanks for your feedback - it's definitely helpful.    

One initial question re: your 256 char seed, I thought (from the docs) that the seed length was limited to eight characters? 

One idea I'm thinking through, which I pretty sure was mentioned on the list before, is to include a client specific seed and other things such as API keys in an encrypted template.  Maybe set up a few custom functions on the template so the seed could never be exposed as a variable even if a hacker got access to the source code.

A difficulty I have though is that I can't document to a client how [encrypt] and [cart] work.   I use [encrypt] for storing passwords, and [cart] for generating session cookies.   

While I can understand that WebDNA may not want to divulge how these tags work, it leaves me with a situation where all I can say to a client is 'trust us'.  I can't state the level of predictability of [cart], or the levels of cryptography used in [encrypt]. 

- Tom


--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--Apple-Mail=_9F99BBBA-B460-483E-A436-300EB313A8AB-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
--Apple-Mail=_9F99BBBA-B460-483E-A436-300EB313A8AB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Instead of using cart you could do something like this if you want = predictability [math]{[date]}[/MATH][math]{[time]}[/MATH][random][random][random] On 03/10/2013, at 7:27 AM, Tom Duke wrote: > Dan, >=20 > Hi - thanks for your feedback - it's definitely helpful. =20 >=20 > One initial question re: your 256 char seed, I thought (from the docs) = that the seed length was limited to eight characters?=20 >=20 > One idea I'm thinking through, which I pretty sure was mentioned on = the list before, is to include a client specific seed and other things = such as API keys in an encrypted template. Maybe set up a few custom = functions on the template so the seed could never be exposed as a = variable even if a hacker got access to the source code. >=20 > A difficulty I have though is that I can't document to a client how = [encrypt] and [cart] work. I use [encrypt] for storing passwords, and = [cart] for generating session cookies. =20 >=20 > While I can understand that WebDNA may not want to divulge how these = tags work, it leaves me with a situation where all I can say to a client = is 'trust us'. I can't state the level of predictability of [cart], or = the levels of cryptography used in [encrypt].=20 >=20 > - Tom >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_9F99BBBA-B460-483E-A436-300EB313A8AB Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii Instead of using cart you could do something like this if you want predictability

[math]{[date]}[/MATH][math]{[time]}[/MATH][random][random][random]


On 03/10/2013, at 7:27 AM, Tom Duke <tom@revolutionaries.ie> wrote:

Dan,

Hi - thanks for your feedback - it's definitely helpful.    

One initial question re: your 256 char seed, I thought (from the docs) that the seed length was limited to eight characters? 

One idea I'm thinking through, which I pretty sure was mentioned on the list before, is to include a client specific seed and other things such as API keys in an encrypted template.  Maybe set up a few custom functions on the template so the seed could never be exposed as a variable even if a hacker got access to the source code.

A difficulty I have though is that I can't document to a client how [encrypt] and [cart] work.   I use [encrypt] for storing passwords, and [cart] for generating session cookies.   

While I can understand that WebDNA may not want to divulge how these tags work, it leaves me with a situation where all I can say to a client is 'trust us'.  I can't state the level of predictability of [cart], or the levels of cryptography used in [encrypt]

- Tom


--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--Apple-Mail=_9F99BBBA-B460-483E-A436-300EB313A8AB-- Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

RAM variables (1997) Displaying photo attached to first record (1997) OT: Unix question (2003) WebCat2 Append problem (B14Macacgi) (1997) New Plug-in and Type 11 errors (1997) Items XX to XX shown (1997) Further tests with the infamous shipCost (1997) Search inside Include (1998) PIXO support (1997) killer-format in cart (1998) math problems (2000) Can't use old cart file (was One more try) (1997) WebCat2b15MacPlugin - showing [math] (1997) WebCat2: Master Counter snippet (1997) Getting total number of items ordered (1997) [WebDNA] [listwords] seems especially slow (amongst the looping contexts) (2010) no [search] with NT (1997) WebCatalog for guestbook ? (1997) still having shipCost.db Problem (1997) Shopping carts and reloading pages (1997)