Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110788
interpreted = N
texte = THAT'S GREAT DAN, I will have to post you a few more ideas for you to do = the hard work !! I will use what you have done for a new site that I am developing. Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 04/10/2013, at 9:00 AM, Dan Strong wrote: > Better formatting here, in case email chews it up: > http://danstrong.com/blog/secure-hashing-with-webdna/ >=20 > -Dan Strong > http://www.DanStrong.com >=20 > On 10/3/2013 3:59 PM, Dan Strong wrote: >> Using info from the link Stuart sent last night, I cobbled together = some functions to do "proper" hashing via WebDNA. If you find any = mistakes or have questions let me know. >>=20 >> = [!]-----------------------------------------------------------------------= ---=20 >> One way to do "proper" hashing using WebDNA on linux/unix >> See: https://crackstation.net/hashing-security.htm#properhashing >>=20 >> Compact [function]s first, verbose & educational script after. >> by Dan Strong - http://www.DanStrong.com >> Free to use, no strings attached. >> = -------------------------------------------------------------------------[= /!]=20 >>=20 >> [!]------// FUNCTIONS //----------------------------[/!] >> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - = usage: "[danFunc_makeSalt]" --[/!] >> [function name=3DdanFunc_makeSalt] >> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encrypt= seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >> [return][longRandomSalt][/return] >> [/function] >>=20 >> [!]-- "danFunc_saltHashPassword" (ex: = "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - = usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!] >> [function name=3DdanFunc_saltHashPassword] >> [text]saltedAndHashed=3D[shell]echo -n = [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >> [return][saltedAndHashed][/return] >> [/function] >>=20 >>=20 >> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >> [text]theUsersPassword=3Dpassword-they-provided[/text] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- 1) Generate a long random salt using a CSPRNG (we're = using /dev/random)--[/!] >> [text]longRandomSalt=3D[!] >> [/!][getchars start=3D1&end=3D32][!] >> [/!][encrypt seed=3D[shell]echo = $RANDOM[/shell]&method=3Dblowfish][!] >> [/!][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][!] >> [/!][/encrypt][!] >> [/!][/getchars][!] >> [/!][/text] >>=20 >> [!]-- 2) Prepend the salt to the password and hash it with a = standard cryptographic hash function such as SHA256 --[/!] >> [text]saltedAndHashed=3D[shell]echo -n = [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Save both the salt and the hash in the user's = database record -- >> [append] or [replace] to your db as appropriate >> salt =3D [longRandomSalt] >> hash =3D [saltedAndHashed] >> -------------[/!] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- Test comparison by swapping password variable in STEP 2 = to either -SAME or -DIFF --[/!] >> [text]theUsersPassword-SAME=3D[theUsersPassword][/text] >> [text]theUsersPassword-DIFF=3D[random][random][random][/text] >>=20 >> [!]-- 1) Retrieve the user's salt and hash from the database = -- >> [search] or [lookup] as approriate >> - For illustrative purposes, pretend we actually = retrieved... >> - We know these values from above, so we'll set them up = now >> -------------[/!] >> [text]saltFromDB=3D[longRandomSalt][/text] >> [text]hashFromDB=3D[saltedAndHashed][/text] >>=20 >> [!]-- 2) Prepend the salt to the given password and hash it = using the same hash function --[/!] >> [text]saltedAndHashedFromDB=3D[shell]echo -n = [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Compare the hash of the given password with the hash = from the database. If they match, the password is correct. Otherwise, = the password is incorrect --[/!] >> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"] >> [then]THEY MATCH - Let the user in[/then] >> [else]THEY DON'T MATCH - Release the hounds[/else] >> [/if] >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
THAT'S GREAT DAN, I will have to post you a few more ideas for you to do = the hard work !! I will use what you have done for a new site that I am developing. Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 04/10/2013, at 9:00 AM, Dan Strong wrote: > Better formatting here, in case email chews it up: > http://danstrong.com/blog/secure-hashing-with-webdna/ >=20 > -Dan Strong > http://www.DanStrong.com >=20 > On 10/3/2013 3:59 PM, Dan Strong wrote: >> Using info from the link Stuart sent last night, I cobbled together = some functions to do "proper" hashing via WebDNA. If you find any = mistakes or have questions let me know. >>=20 >> = [!]-----------------------------------------------------------------------= ---=20 >> One way to do "proper" hashing using WebDNA on linux/unix >> See: https://crackstation.net/hashing-security.htm#properhashing >>=20 >> Compact [function]s first, verbose & educational script after. >> by Dan Strong - http://www.DanStrong.com >> Free to use, no strings attached. >> = -------------------------------------------------------------------------[= /!]=20 >>=20 >> [!]------// FUNCTIONS //----------------------------[/!] >> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - = usage: "[danFunc_makeSalt]" --[/!] >> [function name=3DdanFunc_makeSalt] >> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encrypt= seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >> [return][longRandomSalt][/return] >> [/function] >>=20 >> [!]-- "danFunc_saltHashPassword" (ex: = "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - = usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!] >> [function name=3DdanFunc_saltHashPassword] >> [text]saltedAndHashed=3D[shell]echo -n = [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >> [return][saltedAndHashed][/return] >> [/function] >>=20 >>=20 >> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >> [text]theUsersPassword=3Dpassword-they-provided[/text] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- 1) Generate a long random salt using a CSPRNG (we're = using /dev/random)--[/!] >> [text]longRandomSalt=3D[!] >> [/!][getchars start=3D1&end=3D32][!] >> [/!][encrypt seed=3D[shell]echo = $RANDOM[/shell]&method=3Dblowfish][!] >> [/!][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][!] >> [/!][/encrypt][!] >> [/!][/getchars][!] >> [/!][/text] >>=20 >> [!]-- 2) Prepend the salt to the password and hash it with a = standard cryptographic hash function such as SHA256 --[/!] >> [text]saltedAndHashed=3D[shell]echo -n = [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Save both the salt and the hash in the user's = database record -- >> [append] or [replace] to your db as appropriate >> salt =3D [longRandomSalt] >> hash =3D [saltedAndHashed] >> -------------[/!] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- Test comparison by swapping password variable in STEP 2 = to either -SAME or -DIFF --[/!] >> [text]theUsersPassword-SAME=3D[theUsersPassword][/text] >> [text]theUsersPassword-DIFF=3D[random][random][random][/text] >>=20 >> [!]-- 1) Retrieve the user's salt and hash from the database = -- >> [search] or [lookup] as approriate >> - For illustrative purposes, pretend we actually = retrieved... >> - We know these values from above, so we'll set them up = now >> -------------[/!] >> [text]saltFromDB=3D[longRandomSalt][/text] >> [text]hashFromDB=3D[saltedAndHashed][/text] >>=20 >> [!]-- 2) Prepend the salt to the given password and hash it = using the same hash function --[/!] >> [text]saltedAndHashedFromDB=3D[shell]echo -n = [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Compare the hash of the given password with the hash = from the database. If they match, the password is correct. Otherwise, = the password is incorrect --[/!] >> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"] >> [then]THEY MATCH - Let the user in[/then] >> [else]THEY DON'T MATCH - Release the hounds[/else] >> [/if] >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us WebDNA

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCatalog f2 Installation (1997) WebDNA deletes major DB data big time (2004) Error: Too many nested [xxx] contexts (1997) Order not created error (1997) Secure Server (1997) How replace title with buttons.jpg (2000) SORRY (1997) Shownext problems (1999) Email within tmpl ? (1997) Giving out error pages (1997) PhotoMill -> PhotoMaster (1997) Sort Order on a page search (1997) RAM variables (1997) WC2.0 Memory Requirements (1997) Separate SSL Server (1997) Where's Cart Created ? (1997) [OT] What System Software? (2003) time + (1998) Search multiple fields (1997) Random sort is not random at all..... (2000)