Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110788
interpreted = N
texte = THAT'S GREAT DAN, I will have to post you a few more ideas for you to do = the hard work !! I will use what you have done for a new site that I am developing. Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 04/10/2013, at 9:00 AM, Dan Strong wrote: > Better formatting here, in case email chews it up: > http://danstrong.com/blog/secure-hashing-with-webdna/ >=20 > -Dan Strong > http://www.DanStrong.com >=20 > On 10/3/2013 3:59 PM, Dan Strong wrote: >> Using info from the link Stuart sent last night, I cobbled together = some functions to do "proper" hashing via WebDNA. If you find any = mistakes or have questions let me know. >>=20 >> = [!]-----------------------------------------------------------------------= ---=20 >> One way to do "proper" hashing using WebDNA on linux/unix >> See: https://crackstation.net/hashing-security.htm#properhashing >>=20 >> Compact [function]s first, verbose & educational script after. >> by Dan Strong - http://www.DanStrong.com >> Free to use, no strings attached. >> = -------------------------------------------------------------------------[= /!]=20 >>=20 >> [!]------// FUNCTIONS //----------------------------[/!] >> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - = usage: "[danFunc_makeSalt]" --[/!] >> [function name=3DdanFunc_makeSalt] >> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encrypt= seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >> [return][longRandomSalt][/return] >> [/function] >>=20 >> [!]-- "danFunc_saltHashPassword" (ex: = "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - = usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!] >> [function name=3DdanFunc_saltHashPassword] >> [text]saltedAndHashed=3D[shell]echo -n = [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >> [return][saltedAndHashed][/return] >> [/function] >>=20 >>=20 >> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >> [text]theUsersPassword=3Dpassword-they-provided[/text] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- 1) Generate a long random salt using a CSPRNG (we're = using /dev/random)--[/!] >> [text]longRandomSalt=3D[!] >> [/!][getchars start=3D1&end=3D32][!] >> [/!][encrypt seed=3D[shell]echo = $RANDOM[/shell]&method=3Dblowfish][!] >> [/!][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][!] >> [/!][/encrypt][!] >> [/!][/getchars][!] >> [/!][/text] >>=20 >> [!]-- 2) Prepend the salt to the password and hash it with a = standard cryptographic hash function such as SHA256 --[/!] >> [text]saltedAndHashed=3D[shell]echo -n = [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Save both the salt and the hash in the user's = database record -- >> [append] or [replace] to your db as appropriate >> salt =3D [longRandomSalt] >> hash =3D [saltedAndHashed] >> -------------[/!] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- Test comparison by swapping password variable in STEP 2 = to either -SAME or -DIFF --[/!] >> [text]theUsersPassword-SAME=3D[theUsersPassword][/text] >> [text]theUsersPassword-DIFF=3D[random][random][random][/text] >>=20 >> [!]-- 1) Retrieve the user's salt and hash from the database = -- >> [search] or [lookup] as approriate >> - For illustrative purposes, pretend we actually = retrieved... >> - We know these values from above, so we'll set them up = now >> -------------[/!] >> [text]saltFromDB=3D[longRandomSalt][/text] >> [text]hashFromDB=3D[saltedAndHashed][/text] >>=20 >> [!]-- 2) Prepend the salt to the given password and hash it = using the same hash function --[/!] >> [text]saltedAndHashedFromDB=3D[shell]echo -n = [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Compare the hash of the given password with the hash = from the database. If they match, the password is correct. Otherwise, = the password is incorrect --[/!] >> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"] >> [then]THEY MATCH - Let the user in[/then] >> [else]THEY DON'T MATCH - Release the hounds[/else] >> [/if] >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
THAT'S GREAT DAN, I will have to post you a few more ideas for you to do = the hard work !! I will use what you have done for a new site that I am developing. Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 04/10/2013, at 9:00 AM, Dan Strong wrote: > Better formatting here, in case email chews it up: > http://danstrong.com/blog/secure-hashing-with-webdna/ >=20 > -Dan Strong > http://www.DanStrong.com >=20 > On 10/3/2013 3:59 PM, Dan Strong wrote: >> Using info from the link Stuart sent last night, I cobbled together = some functions to do "proper" hashing via WebDNA. If you find any = mistakes or have questions let me know. >>=20 >> = [!]-----------------------------------------------------------------------= ---=20 >> One way to do "proper" hashing using WebDNA on linux/unix >> See: https://crackstation.net/hashing-security.htm#properhashing >>=20 >> Compact [function]s first, verbose & educational script after. >> by Dan Strong - http://www.DanStrong.com >> Free to use, no strings attached. >> = -------------------------------------------------------------------------[= /!]=20 >>=20 >> [!]------// FUNCTIONS //----------------------------[/!] >> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - = usage: "[danFunc_makeSalt]" --[/!] >> [function name=3DdanFunc_makeSalt] >> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encrypt= seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >> [return][longRandomSalt][/return] >> [/function] >>=20 >> [!]-- "danFunc_saltHashPassword" (ex: = "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - = usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!] >> [function name=3DdanFunc_saltHashPassword] >> [text]saltedAndHashed=3D[shell]echo -n = [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >> [return][saltedAndHashed][/return] >> [/function] >>=20 >>=20 >> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >> [text]theUsersPassword=3Dpassword-they-provided[/text] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- 1) Generate a long random salt using a CSPRNG (we're = using /dev/random)--[/!] >> [text]longRandomSalt=3D[!] >> [/!][getchars start=3D1&end=3D32][!] >> [/!][encrypt seed=3D[shell]echo = $RANDOM[/shell]&method=3Dblowfish][!] >> [/!][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][!] >> [/!][/encrypt][!] >> [/!][/getchars][!] >> [/!][/text] >>=20 >> [!]-- 2) Prepend the salt to the password and hash it with a = standard cryptographic hash function such as SHA256 --[/!] >> [text]saltedAndHashed=3D[shell]echo -n = [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Save both the salt and the hash in the user's = database record -- >> [append] or [replace] to your db as appropriate >> salt =3D [longRandomSalt] >> hash =3D [saltedAndHashed] >> -------------[/!] >>=20 >> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >> [!]-- Test comparison by swapping password variable in STEP 2 = to either -SAME or -DIFF --[/!] >> [text]theUsersPassword-SAME=3D[theUsersPassword][/text] >> [text]theUsersPassword-DIFF=3D[random][random][random][/text] >>=20 >> [!]-- 1) Retrieve the user's salt and hash from the database = -- >> [search] or [lookup] as approriate >> - For illustrative purposes, pretend we actually = retrieved... >> - We know these values from above, so we'll set them up = now >> -------------[/!] >> [text]saltFromDB=3D[longRandomSalt][/text] >> [text]hashFromDB=3D[saltedAndHashed][/text] >>=20 >> [!]-- 2) Prepend the salt to the given password and hash it = using the same hash function --[/!] >> [text]saltedAndHashedFromDB=3D[shell]echo -n = [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>=20 >> [!]-- 3) Compare the hash of the given password with the hash = from the database. If they match, the password is correct. Otherwise, = the password is incorrect --[/!] >> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"] >> [then]THEY MATCH - Let the user in[/then] >> [else]THEY DON'T MATCH - Release the hounds[/else] >> [/if] >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us WebDNA

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[WebDNA] WebDNA FastCGI (2012) Lost Field (1998) New 4.5 installer (2002) database size? (1997) A workaround for handling date range search in yyyy/mm/dd form (1997) [WebDNA] Enhancements to "list" contexts ... (2015) ImageMagick and [shell] (2003) Webstar 1.3.1 PPC (1997) corrupted images (2002) Integrate login with phpBB or vBulletin (2006) writing db to disk (1997) PCS Frames (1997) [WebDNA] [thisurl] not clean on fastcgi 7 (2010) Adding multiple items to Cart at one time, & append context problem (1998) WebCat2b14MacPlugIn - [include] doesn't hide the search string (1997) Web Merchant process after credit card clears (1998) Part Html part WebDNA (1997) creates folders with AS (1997) NT vs Mac (1997) Show shoppingcart after remove last item (1997)