Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110786
interpreted = N
texte = Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know. [!]-------------------------------------------------------------------------- One way to do "proper" hashing using WebDNA on linux/unix See: https://crackstation.net/hashing-security.htm#properhashing Compact [function]s first, verbose & educational script after. by Dan Strong - http://www.DanStrong.com Free to use, no strings attached. -------------------------------------------------------------------------[/!] [!]------// FUNCTIONS //----------------------------[/!] [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!] [function name=danFunc_makeSalt] [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] [return][longRandomSalt][/return] [/function] [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] [function name=danFunc_saltHashPassword] [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text] [return][saltedAndHashed][/return] [/function] [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] [text]theUsersPassword=password-they-provided[/text] [!]=========== TO STORE A PASSWORD ===============[/!] [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!] [text]longRandomSalt=[!] [/!][getchars start=1&end=32][!] [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!] [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] [/!][/encrypt][!] [/!][/getchars][!] [/!][/text] [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!] [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] [!]-- 3) Save both the salt and the hash in the user's database record -- [append] or [replace] to your db as appropriate salt = [longRandomSalt] hash = [saltedAndHashed] -------------[/!] [!]=========== TO VALIDATE A PASSWORD ===============[/!] [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!] [text]theUsersPassword-SAME=[theUsersPassword][/text] [text]theUsersPassword-DIFF=[random][random][random][/text] [!]-- 1) Retrieve the user's salt and hash from the database -- [search] or [lookup] as approriate - For illustrative purposes, pretend we actually retrieved... - We know these values from above, so we'll set them up now -------------[/!] [text]saltFromDB=[longRandomSalt][/text] [text]hashFromDB=[saltedAndHashed][/text] [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!] [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!] [if "[hashfromDB]"="[saltedAndHashedFromDB]"] [then]THEY MATCH - Let the user in[/then] [else]THEY DON'T MATCH - Release the hounds[/else] [/if] Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know. [!]-------------------------------------------------------------------------- One way to do "proper" hashing using WebDNA on linux/unix See: https://crackstation.net/hashing-security.htm#properhashing Compact [function]s first, verbose & educational script after. by Dan Strong - http://www.DanStrong.com Free to use, no strings attached. -------------------------------------------------------------------------[/!] [!]------// FUNCTIONS //----------------------------[/!] [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!] [function name=danFunc_makeSalt] [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] [return][longRandomSalt][/return] [/function] [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] [function name=danFunc_saltHashPassword] [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text] [return][saltedAndHashed][/return] [/function] [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] [text]theUsersPassword=password-they-provided[/text] [!]=========== TO STORE A PASSWORD ===============[/!] [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!] [text]longRandomSalt=[!] [/!][getchars start=1&end=32][!] [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!] [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] [/!][/encrypt][!] [/!][/getchars][!] [/!][/text] [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!] [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] [!]-- 3) Save both the salt and the hash in the user's database record -- [append] or [replace] to your db as appropriate salt = [longRandomSalt] hash = [saltedAndHashed] -------------[/!] [!]=========== TO VALIDATE A PASSWORD ===============[/!] [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!] [text]theUsersPassword-SAME=[theUsersPassword][/text] [text]theUsersPassword-DIFF=[random][random][random][/text] [!]-- 1) Retrieve the user's salt and hash from the database -- [search] or [lookup] as approriate - For illustrative purposes, pretend we actually retrieved... - We know these values from above, so we'll set them up now -------------[/!] [text]saltFromDB=[longRandomSalt][/text] [text]hashFromDB=[saltedAndHashed][/text] [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!] [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!] [if "[hashfromDB]"="[saltedAndHashedFromDB]"] [then]THEY MATCH - Let the user in[/then] [else]THEY DON'T MATCH - Release the hounds[/else] [/if] Dan Strong

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Probably a very simple question? (1997) [WebDNA] 4.51 upgrade to vers. 6 (2008) PDF Writefile problem (2005) Redirect frame targets (1998) HTML Email and Images (2004) WebCatalog2 Feature Feedback (1996) shipping costs (1997) String manipulation in Webcatalog (2001) I'm tired of all this! (2000) How nuch ram??? (1997) Wierd thing in ViewOrder.tpl (1999) Separate SSL Server (1997) Webcat causing crashes left and right! (1997) Variable Sizes, Widths and Colors (2000) pictures / referrer etc. (1998) Bug Report, maybe (1997) can WC render sites out? (1997) [WebDNA] Help with STMP Setup using Authentication with Google (2016) Boolean showifs? (2000) Cold Fusion Buster (1997)