Re: [WebDNA] Best practice re: password storage
This WebDNA talk-list message is from 2013
It keeps the original formatting.
numero = 110789
interpreted = N
texte = :-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it.It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying.-Dan Stronghttp://www.DanStrong.comOn 10/3/2013 4:03 PM, WebDNA wrote:> THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !!>> I will use what you have done for a new site that I am developing.>> Regards>> Stuart Tremain> IDFK Web Developments> AUSTRALIA> webdna@idfk.com.au>>>>> On 04/10/2013, at 9:00 AM, Dan Strong
wrote:>>> Better formatting here, in case email chews it up:>> http://danstrong.com/blog/secure-hashing-with-webdna/>>>> -Dan Strong>> http://www.DanStrong.com>>>> On 10/3/2013 3:59 PM, Dan Strong wrote:>>> Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know.>>>>>> [!]-------------------------------------------------------------------------->>> One way to do "proper" hashing using WebDNA on linux/unix>>> See: https://crackstation.net/hashing-security.htm#properhashing>>>>>> Compact [function]s first, verbose & educational script after.>>> by Dan Strong - http://www.DanStrong.com>>> Free to use, no strings attached.>>> -------------------------------------------------------------------------[/!]>>>>>> [!]------// FUNCTIONS //----------------------------[/!]>>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!]>>> [function name=danFunc_makeSalt]>>> [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]>>> [return][longRandomSalt][/return]>>> [/function]>>>>>> [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!]>>> [function name=danFunc_saltHashPassword]>>> [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text]>>> [return][saltedAndHashed][/return]>>> [/function]>>>>>>>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]>>> [text]theUsersPassword=password-they-provided[/text]>>>>>> [!]=========== TO STORE A PASSWORD ===============[/!]>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!]>>> [text]longRandomSalt=[!]>>> [/!][getchars start=1&end=32][!]>>> [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!]>>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]>>> [/!][/encrypt][!]>>> [/!][/getchars][!]>>> [/!][/text]>>>>>> [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!]>>> [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]>>>>>> [!]-- 3) Save both the salt and the hash in the user's database record -->>> [append] or [replace] to your db as appropriate>>> salt = [longRandomSalt]>>> hash = [saltedAndHashed]>>> -------------[/!]>>>>>> [!]=========== TO VALIDATE A PASSWORD ===============[/!]>>> [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!]>>> [text]theUsersPassword-SAME=[theUsersPassword][/text]>>> [text]theUsersPassword-DIFF=[random][random][random][/text]>>>>>> [!]-- 1) Retrieve the user's salt and hash from the database -->>> [search] or [lookup] as approriate>>> - For illustrative purposes, pretend we actually retrieved...>>> - We know these values from above, so we'll set them up now>>> -------------[/!]>>> [text]saltFromDB=[longRandomSalt][/text]>>> [text]hashFromDB=[saltedAndHashed][/text]>>>>>> [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!]>>> [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]>>>>>> [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!]>>> [if "[hashfromDB]"="[saltedAndHashedFromDB]"]>>> [then]THEY MATCH - Let the user in[/then]>>> [else]THEY DON'T MATCH - Release the hounds[/else]>>> [/if]>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us>>> Bug Reporting: support@webdna.us>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Associated Messages, from the most recent to the oldest:
:-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it.It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying.-Dan Stronghttp://www.DanStrong.comOn 10/3/2013 4:03 PM, WebDNA wrote:> THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !!>> I will use what you have done for a new site that I am developing.>> Regards>> Stuart Tremain> IDFK Web Developments> AUSTRALIA> webdna@idfk.com.au>>>>> On 04/10/2013, at 9:00 AM, Dan Strong wrote:>>> Better formatting here, in case email chews it up:>> http://danstrong.com/blog/secure-hashing-with-webdna/>>>> -Dan Strong>> http://www.DanStrong.com>>>> On 10/3/2013 3:59 PM, Dan Strong wrote:>>> Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know.>>>>>> [!]-------------------------------------------------------------------------->>> One way to do "proper" hashing using WebDNA on linux/unix>>> See: https://crackstation.net/hashing-security.htm#properhashing>>>>>> Compact [function]s first, verbose & educational script after.>>> by Dan Strong - http://www.DanStrong.com>>> Free to use, no strings attached.>>> -------------------------------------------------------------------------[/!]>>>>>> [!]------// FUNCTIONS //----------------------------[/!]>>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!]>>> [function name=danFunc_makeSalt]>>> [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]>>> [return][longRandomSalt][/return]>>> [/function]>>>>>> [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!]>>> [function name=danFunc_saltHashPassword]>>> [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text]>>> [return][saltedAndHashed][/return]>>> [/function]>>>>>>>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]>>> [text]theUsersPassword=password-they-provided[/text]>>>>>> [!]=========== TO STORE A PASSWORD ===============[/!]>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!]>>> [text]longRandomSalt=[!]>>> [/!][getchars start=1&end=32][!]>>> [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!]>>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]>>> [/!][/encrypt][!]>>> [/!][/getchars][!]>>> [/!][/text]>>>>>> [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!]>>> [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]>>>>>> [!]-- 3) Save both the salt and the hash in the user's database record -->>> [append] or [replace] to your db as appropriate>>> salt = [longRandomSalt]>>> hash = [saltedAndHashed]>>> -------------[/!]>>>>>> [!]=========== TO VALIDATE A PASSWORD ===============[/!]>>> [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!]>>> [text]theUsersPassword-SAME=[theUsersPassword][/text]>>> [text]theUsersPassword-DIFF=[random][random][random][/text]>>>>>> [!]-- 1) Retrieve the user's salt and hash from the database -->>> [search] or [lookup] as approriate>>> - For illustrative purposes, pretend we actually retrieved...>>> - We know these values from above, so we'll set them up now>>> -------------[/!]>>> [text]saltFromDB=[longRandomSalt][/text]>>> [text]hashFromDB=[saltedAndHashed][/text]>>>>>> [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!]>>> [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]>>>>>> [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!]>>> [if "[hashfromDB]"="[saltedAndHashedFromDB]"]>>> [then]THEY MATCH - Let the user in[/then]>>> [else]THEY DON'T MATCH - Release the hounds[/else]>>> [/if]>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us>>> Bug Reporting: support@webdna.us>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Dan Strong
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Country & Ship-to address & other fields ? (1997)
[Sum] function? (1997)
Re:Running 2 two WebCatalog.acgi's (1996)
Emailer [cart] file names (1997)
(1998)
RE: WebCatalog2 for NT Beta Request (1997)
Waitfor(ever) (2002)
Bug or syntax error on my part? (1997)
WebMerchant problem (1998)
Sku numbers (1997)
splitting up items in a cart (1999)
OT - good CC processor(s)? (1999)
WebMerchant when CC network is down (1998)
SendTo more emails (1998)
[showif] based on data from [tcpconnect][tcpsend]? (2000)
getchars broken? (1997)
PR: WebCatalog Affiliates Program Announced -- Share the (2000)
[include] and v.email (1998)
tpl and Explorer (1998)
Feature Request [SentenceCase] (2005)