Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110784
interpreted = N
texte = --Apple-Mail-877A8786-6DAC-4221-95C1-B6CD842A8415 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I agree that anything less than a salted hash is an enormous risk for a comp= romised password. I don't know why a system would need to decrypt a passwor= d except for a bad reason. =20 Bill On Oct 2, 2013, at 6:06 PM, Donovan Brooke wrote: > Hi Tom, no time right now... but my .02=C2=A2 below: >=20 > > can anyone tell me what algorithm is used? >=20 >=20 > You could probably find this out... but it's against WSC's policy to talk a= bout this publicly.=20 >=20 >=20 > > Also how are other people handing password storage? >=20 >=20 > There is a school of thought that passwords should be a one-way only hash.= .. which ideally, I agree.=20 > [encrypt] without a seed value does indeed produce the same value.. but th= ere is also [encrypt method=3Dapop].. which is MD5... you could also use [Sh= ell] to access higher-bit hash techniques.. but basically, they'd all work. = =20 >=20 > It's the random-per-password salting that counts the most I think.=20 >=20 > Donovan >=20 >=20 > =20 >> --------------------------------------------------------- This message is= sent to you because you are subscribed to the mailing list = . To unsubscribe, E-mail to: archives: http://mail.web= dna.us/list/talk@webdna.us Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- This message is s= ent to you because you are subscribed to the mailing list . To unsubscribe, E= -mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting:= support@webdna.us --Apple-Mail-877A8786-6DAC-4221-95C1-B6CD842A8415 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
I agree that anything less than a salt= ed hash is an enormous risk for a compromised password.  I don't know w= hy a system would need to decrypt a password except for a bad reason.  =

Bill

On Oct 2, 2013, at 6:06 PM,= Donovan Brooke <dbrooke@webdna.us> wrote:

 Hi Tom, no time right now... but my .02=C2=A2 below:

= > can anyone tell me what algorithm is used?


You could probabl= y find this out... but it's against WSC's policy to talk about this publicly= .


> Also how are other people handing p= assword storage?


There is a school of thought that passwords shou= ld be a one-way only hash... which ideally, I agree.
[encrypt] without a= seed value does indeed produce the same value.. but there is also [encrypt m= ethod=3Dapop].. which is MD5... you could also use [Shell] to access higher-= bit hash techniques.. but basically, they'd all work. 

It's the= random-per-password salting that counts the most I think.

Donovan

    
--------------------------------------------------------- This message is s= ent to you because you are subscribed to the mailing list <talk@webdna.us>. To unsubscribe, E-mail to: <<= a href=3D"mailto:talk-leave@webdna.us">talk-leave@webdna.us>archives:= htt= p://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.= webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
= --Apple-Mail-877A8786-6DAC-4221-95C1-B6CD842A8415-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
--Apple-Mail-877A8786-6DAC-4221-95C1-B6CD842A8415 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I agree that anything less than a salted hash is an enormous risk for a comp= romised password. I don't know why a system would need to decrypt a passwor= d except for a bad reason. =20 Bill On Oct 2, 2013, at 6:06 PM, Donovan Brooke wrote: > Hi Tom, no time right now... but my .02=C2=A2 below: >=20 > > can anyone tell me what algorithm is used? >=20 >=20 > You could probably find this out... but it's against WSC's policy to talk a= bout this publicly.=20 >=20 >=20 > > Also how are other people handing password storage? >=20 >=20 > There is a school of thought that passwords should be a one-way only hash.= .. which ideally, I agree.=20 > [encrypt] without a seed value does indeed produce the same value.. but th= ere is also [encrypt method=3Dapop].. which is MD5... you could also use [Sh= ell] to access higher-bit hash techniques.. but basically, they'd all work. = =20 >=20 > It's the random-per-password salting that counts the most I think.=20 >=20 > Donovan >=20 >=20 > =20 >> --------------------------------------------------------- This message is= sent to you because you are subscribed to the mailing list = . To unsubscribe, E-mail to: archives: http://mail.web= dna.us/list/talk@webdna.us Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- This message is s= ent to you because you are subscribed to the mailing list . To unsubscribe, E= -mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting:= support@webdna.us --Apple-Mail-877A8786-6DAC-4221-95C1-B6CD842A8415 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
I agree that anything less than a salt= ed hash is an enormous risk for a compromised password.  I don't know w= hy a system would need to decrypt a password except for a bad reason.  =

Bill

On Oct 2, 2013, at 6:06 PM,= Donovan Brooke <dbrooke@webdna.us> wrote:

 Hi Tom, no time right now... but my .02=C2=A2 below:

= > can anyone tell me what algorithm is used?


You could probabl= y find this out... but it's against WSC's policy to talk about this publicly= .


> Also how are other people handing p= assword storage?


There is a school of thought that passwords shou= ld be a one-way only hash... which ideally, I agree.
[encrypt] without a= seed value does indeed produce the same value.. but there is also [encrypt m= ethod=3Dapop].. which is MD5... you could also use [shell] to access higher-= bit hash techniques.. but basically, they'd all work. 

It's the= random-per-password salting that counts the most I think.

Donovan

    
--------------------------------------------------------- This message is s= ent to you because you are subscribed to the mailing list <talk@webdna.us>. To unsubscribe, E-mail to: <<= a href=3D"mailto:talk-leave@webdna.us">talk-leave@webdna.us>archives:= htt= p://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.= webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
= --Apple-Mail-877A8786-6DAC-4221-95C1-B6CD842A8415-- Bill DeVaul

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Balancing randomness (2000) Help! WebCat2 bug (1997) WCS Newbie question (1997) Include files (1998) Deleting Orders (1997) orders being printed (1998) Paths, relative paths, webstar server setup and security (1997) Writing to disk (1999) Shipping cost out of synch (1998) Old code new problem? (2004) Electronic delivery (2006) calculating tax rates, mail order solutions and version 2 (1997) New WebDNA Solutions ... (1997) Emailer on NT CAN'T handle large email files (1997) Issue with plug-in Webcat, webstar 4.x, SSL and IE when using the backbuttom (2000) How do I get multiple unique numbers on one template? (2000) Safari cookies (2006) insecuretextvars preference doesn't work (2000) Error Messages Returned to User (1997) Questions To Answer (1997)