Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110789
interpreted = N
texte = :-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it. It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying. -Dan Strong http://www.DanStrong.com On 10/3/2013 4:03 PM, WebDNA wrote: > THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !! > > I will use what you have done for a new site that I am developing. > > Regards > > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au > > > > > On 04/10/2013, at 9:00 AM, Dan Strong wrote: > >> Better formatting here, in case email chews it up: >> http://danstrong.com/blog/secure-hashing-with-webdna/ >> >> -Dan Strong >> http://www.DanStrong.com >> >> On 10/3/2013 3:59 PM, Dan Strong wrote: >>> Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know. >>> >>> [!]-------------------------------------------------------------------------- >>> One way to do "proper" hashing using WebDNA on linux/unix >>> See: https://crackstation.net/hashing-security.htm#properhashing >>> >>> Compact [function]s first, verbose & educational script after. >>> by Dan Strong - http://www.DanStrong.com >>> Free to use, no strings attached. >>> -------------------------------------------------------------------------[/!] >>> >>> [!]------// FUNCTIONS //----------------------------[/!] >>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!] >>> [function name=danFunc_makeSalt] >>> [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >>> [return][longRandomSalt][/return] >>> [/function] >>> >>> [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] >>> [function name=danFunc_saltHashPassword] >>> [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>> [return][saltedAndHashed][/return] >>> [/function] >>> >>> >>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >>> [text]theUsersPassword=password-they-provided[/text] >>> >>> [!]=========== TO STORE A PASSWORD ===============[/!] >>> [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!] >>> [text]longRandomSalt=[!] >>> [/!][getchars start=1&end=32][!] >>> [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!] >>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] >>> [/!][/encrypt][!] >>> [/!][/getchars][!] >>> [/!][/text] >>> >>> [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!] >>> [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>> >>> [!]-- 3) Save both the salt and the hash in the user's database record -- >>> [append] or [replace] to your db as appropriate >>> salt = [longRandomSalt] >>> hash = [saltedAndHashed] >>> -------------[/!] >>> >>> [!]=========== TO VALIDATE A PASSWORD ===============[/!] >>> [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!] >>> [text]theUsersPassword-SAME=[theUsersPassword][/text] >>> [text]theUsersPassword-DIFF=[random][random][random][/text] >>> >>> [!]-- 1) Retrieve the user's salt and hash from the database -- >>> [search] or [lookup] as approriate >>> - For illustrative purposes, pretend we actually retrieved... >>> - We know these values from above, so we'll set them up now >>> -------------[/!] >>> [text]saltFromDB=[longRandomSalt][/text] >>> [text]hashFromDB=[saltedAndHashed][/text] >>> >>> [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!] >>> [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>> >>> [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!] >>> [if "[hashfromDB]"="[saltedAndHashedFromDB]"] >>> [then]THEY MATCH - Let the user in[/then] >>> [else]THEY DON'T MATCH - Release the hounds[/else] >>> [/if] >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
:-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it. It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying. -Dan Strong http://www.DanStrong.com On 10/3/2013 4:03 PM, WebDNA wrote: > THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !! > > I will use what you have done for a new site that I am developing. > > Regards > > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au > > > > > On 04/10/2013, at 9:00 AM, Dan Strong wrote: > >> Better formatting here, in case email chews it up: >> http://danstrong.com/blog/secure-hashing-with-webdna/ >> >> -Dan Strong >> http://www.DanStrong.com >> >> On 10/3/2013 3:59 PM, Dan Strong wrote: >>> Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know. >>> >>> [!]-------------------------------------------------------------------------- >>> One way to do "proper" hashing using WebDNA on linux/unix >>> See: https://crackstation.net/hashing-security.htm#properhashing >>> >>> Compact [function]s first, verbose & educational script after. >>> by Dan Strong - http://www.DanStrong.com >>> Free to use, no strings attached. >>> -------------------------------------------------------------------------[/!] >>> >>> [!]------// FUNCTIONS //----------------------------[/!] >>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!] >>> [function name=danFunc_makeSalt] >>> [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >>> [return][longRandomSalt][/return] >>> [/function] >>> >>> [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] >>> [function name=danFunc_saltHashPassword] >>> [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>> [return][saltedAndHashed][/return] >>> [/function] >>> >>> >>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >>> [text]theUsersPassword=password-they-provided[/text] >>> >>> [!]=========== TO STORE A PASSWORD ===============[/!] >>> [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!] >>> [text]longRandomSalt=[!] >>> [/!][getchars start=1&end=32][!] >>> [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!] >>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] >>> [/!][/encrypt][!] >>> [/!][/getchars][!] >>> [/!][/text] >>> >>> [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!] >>> [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>> >>> [!]-- 3) Save both the salt and the hash in the user's database record -- >>> [append] or [replace] to your db as appropriate >>> salt = [longRandomSalt] >>> hash = [saltedAndHashed] >>> -------------[/!] >>> >>> [!]=========== TO VALIDATE A PASSWORD ===============[/!] >>> [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!] >>> [text]theUsersPassword-SAME=[theUsersPassword][/text] >>> [text]theUsersPassword-DIFF=[random][random][random][/text] >>> >>> [!]-- 1) Retrieve the user's salt and hash from the database -- >>> [search] or [lookup] as approriate >>> - For illustrative purposes, pretend we actually retrieved... >>> - We know these values from above, so we'll set them up now >>> -------------[/!] >>> [text]saltFromDB=[longRandomSalt][/text] >>> [text]hashFromDB=[saltedAndHashed][/text] >>> >>> [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!] >>> [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>> >>> [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!] >>> [if "[hashfromDB]"="[saltedAndHashedFromDB]"] >>> [then]THEY MATCH - Let the user in[/then] >>> [else]THEY DON'T MATCH - Release the hounds[/else] >>> [/if] >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Dan Strong

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Country & Ship-to address & other fields ? (1997) [Sum] function? (1997) Re:Running 2 two WebCatalog.acgi's (1996) Emailer [cart] file names (1997) (1998) RE: WebCatalog2 for NT Beta Request (1997) Waitfor(ever) (2002) Bug or syntax error on my part? (1997) WebMerchant problem (1998) Sku numbers (1997) splitting up items in a cart (1999) OT - good CC processor(s)? (1999) WebMerchant when CC network is down (1998) SendTo more emails (1998) [showif] based on data from [tcpconnect][tcpsend]? (2000) getchars broken? (1997) PR: WebCatalog Affiliates Program Announced -- Share the (2000) [include] and v.email (1998) tpl and Explorer (1998) Feature Request [SentenceCase] (2005)