Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110790
interpreted = N
texte = I hadn't even thought about it until Tom posted the question the other = day. Thanks too to Tom for sparking the conversation. Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 04/10/2013, at 9:06 AM, Dan Strong wrote: > :-) Happy to help. Let me know if you find any bugs or have a = better/smarter way to do it. >=20 > It actually wasn't that hard (and was fun) to me because I'm = interested in it... didn't take too long either once I wrapped my mind = around what he was saying. >=20 > -Dan Strong > http://www.DanStrong.com >=20 > On 10/3/2013 4:03 PM, WebDNA wrote: >> THAT'S GREAT DAN, I will have to post you a few more ideas for you to = do the hard work !! >>=20 >> I will use what you have done for a new site that I am developing. >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >>=20 >>=20 >>=20 >>=20 >> On 04/10/2013, at 9:00 AM, Dan Strong wrote: >>=20 >>> Better formatting here, in case email chews it up: >>> http://danstrong.com/blog/secure-hashing-with-webdna/ >>>=20 >>> -Dan Strong >>> http://www.DanStrong.com >>>=20 >>> On 10/3/2013 3:59 PM, Dan Strong wrote: >>>> Using info from the link Stuart sent last night, I cobbled together = some functions to do "proper" hashing via WebDNA. If you find any = mistakes or have questions let me know. >>>>=20 >>>> = [!]-----------------------------------------------------------------------= --- >>>> One way to do "proper" hashing using WebDNA on linux/unix >>>> See: https://crackstation.net/hashing-security.htm#properhashing >>>>=20 >>>> Compact [function]s first, verbose & educational script after. >>>> by Dan Strong - http://www.DanStrong.com >>>> Free to use, no strings attached. >>>> = -------------------------------------------------------------------------[= /!] >>>>=20 >>>> [!]------// FUNCTIONS //----------------------------[/!] >>>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" = - usage: "[danFunc_makeSalt]" --[/!] >>>> [function name=3DdanFunc_makeSalt] >>>> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encry= pt seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >>>> [return][longRandomSalt][/return] >>>> [/function] >>>>=20 >>>> [!]-- "danFunc_saltHashPassword" (ex: = "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - = usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!] >>>> [function name=3DdanFunc_saltHashPassword] >>>> [text]saltedAndHashed=3D[shell]echo -n = [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>>> [return][saltedAndHashed][/return] >>>> [/function] >>>>=20 >>>>=20 >>>> [!]------// VERBOSE & EDUCATIONAL = //----------------------------[/!] >>>> [text]theUsersPassword=3Dpassword-they-provided[/text] >>>>=20 >>>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're = using /dev/random)--[/!] >>>> [text]longRandomSalt=3D[!] >>>> [/!][getchars start=3D1&end=3D32][!] >>>> [/!][encrypt seed=3D[shell]echo = $RANDOM[/shell]&method=3Dblowfish][!] >>>> [/!][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][!] >>>> [/!][/encrypt][!] >>>> [/!][/getchars][!] >>>> [/!][/text] >>>>=20 >>>> [!]-- 2) Prepend the salt to the password and hash it with a = standard cryptographic hash function such as SHA256 --[/!] >>>> [text]saltedAndHashed=3D[shell]echo -n = [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>>>=20 >>>> [!]-- 3) Save both the salt and the hash in the user's = database record -- >>>> [append] or [replace] to your db as appropriate >>>> salt =3D [longRandomSalt] >>>> hash =3D [saltedAndHashed] >>>> -------------[/!] >>>>=20 >>>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >>>> [!]-- Test comparison by swapping password variable in STEP = 2 to either -SAME or -DIFF --[/!] >>>> [text]theUsersPassword-SAME=3D[theUsersPassword][/text] >>>> [text]theUsersPassword-DIFF=3D[random][random][random][/text] >>>>=20 >>>> [!]-- 1) Retrieve the user's salt and hash from the database = -- >>>> [search] or [lookup] as approriate >>>> - For illustrative purposes, pretend we actually = retrieved... >>>> - We know these values from above, so we'll set them up = now >>>> -------------[/!] >>>> [text]saltFromDB=3D[longRandomSalt][/text] >>>> [text]hashFromDB=3D[saltedAndHashed][/text] >>>>=20 >>>> [!]-- 2) Prepend the salt to the given password and hash it = using the same hash function --[/!] >>>> [text]saltedAndHashedFromDB=3D[shell]echo -n = [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>>>=20 >>>> [!]-- 3) Compare the hash of the given password with the = hash from the database. If they match, the password is correct. = Otherwise, the password is incorrect --[/!] >>>> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"] >>>> [then]THEY MATCH - Let the user in[/then] >>>> [else]THEY DON'T MATCH - Release the hounds[/else] >>>> [/if] >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
I hadn't even thought about it until Tom posted the question the other = day. Thanks too to Tom for sparking the conversation. Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 04/10/2013, at 9:06 AM, Dan Strong wrote: > :-) Happy to help. Let me know if you find any bugs or have a = better/smarter way to do it. >=20 > It actually wasn't that hard (and was fun) to me because I'm = interested in it... didn't take too long either once I wrapped my mind = around what he was saying. >=20 > -Dan Strong > http://www.DanStrong.com >=20 > On 10/3/2013 4:03 PM, WebDNA wrote: >> THAT'S GREAT DAN, I will have to post you a few more ideas for you to = do the hard work !! >>=20 >> I will use what you have done for a new site that I am developing. >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >>=20 >>=20 >>=20 >>=20 >> On 04/10/2013, at 9:00 AM, Dan Strong wrote: >>=20 >>> Better formatting here, in case email chews it up: >>> http://danstrong.com/blog/secure-hashing-with-webdna/ >>>=20 >>> -Dan Strong >>> http://www.DanStrong.com >>>=20 >>> On 10/3/2013 3:59 PM, Dan Strong wrote: >>>> Using info from the link Stuart sent last night, I cobbled together = some functions to do "proper" hashing via WebDNA. If you find any = mistakes or have questions let me know. >>>>=20 >>>> = [!]-----------------------------------------------------------------------= --- >>>> One way to do "proper" hashing using WebDNA on linux/unix >>>> See: https://crackstation.net/hashing-security.htm#properhashing >>>>=20 >>>> Compact [function]s first, verbose & educational script after. >>>> by Dan Strong - http://www.DanStrong.com >>>> Free to use, no strings attached. >>>> = -------------------------------------------------------------------------[= /!] >>>>=20 >>>> [!]------// FUNCTIONS //----------------------------[/!] >>>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" = - usage: "[danFunc_makeSalt]" --[/!] >>>> [function name=3DdanFunc_makeSalt] >>>> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encry= pt seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >>>> [return][longRandomSalt][/return] >>>> [/function] >>>>=20 >>>> [!]-- "danFunc_saltHashPassword" (ex: = "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - = usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!] >>>> [function name=3DdanFunc_saltHashPassword] >>>> [text]saltedAndHashed=3D[shell]echo -n = [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>>> [return][saltedAndHashed][/return] >>>> [/function] >>>>=20 >>>>=20 >>>> [!]------// VERBOSE & EDUCATIONAL = //----------------------------[/!] >>>> [text]theUsersPassword=3Dpassword-they-provided[/text] >>>>=20 >>>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're = using /dev/random)--[/!] >>>> [text]longRandomSalt=3D[!] >>>> [/!][getchars start=3D1&end=3D32][!] >>>> [/!][encrypt seed=3D[shell]echo = $RANDOM[/shell]&method=3Dblowfish][!] >>>> [/!][shell]echo = $RANDOM$RANDOM$RANDOM[/shell][!] >>>> [/!][/encrypt][!] >>>> [/!][/getchars][!] >>>> [/!][/text] >>>>=20 >>>> [!]-- 2) Prepend the salt to the password and hash it with a = standard cryptographic hash function such as SHA256 --[/!] >>>> [text]saltedAndHashed=3D[shell]echo -n = [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>>>=20 >>>> [!]-- 3) Save both the salt and the hash in the user's = database record -- >>>> [append] or [replace] to your db as appropriate >>>> salt =3D [longRandomSalt] >>>> hash =3D [saltedAndHashed] >>>> -------------[/!] >>>>=20 >>>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] >>>> [!]-- Test comparison by swapping password variable in STEP = 2 to either -SAME or -DIFF --[/!] >>>> [text]theUsersPassword-SAME=3D[theUsersPassword][/text] >>>> [text]theUsersPassword-DIFF=3D[random][random][random][/text] >>>>=20 >>>> [!]-- 1) Retrieve the user's salt and hash from the database = -- >>>> [search] or [lookup] as approriate >>>> - For illustrative purposes, pretend we actually = retrieved... >>>> - We know these values from above, so we'll set them up = now >>>> -------------[/!] >>>> [text]saltFromDB=3D[longRandomSalt][/text] >>>> [text]hashFromDB=3D[saltedAndHashed][/text] >>>>=20 >>>> [!]-- 2) Prepend the salt to the given password and hash it = using the same hash function --[/!] >>>> [text]saltedAndHashedFromDB=3D[shell]echo -n = [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>>>=20 >>>> [!]-- 3) Compare the hash of the given password with the = hash from the database. If they match, the password is correct. = Otherwise, the password is incorrect --[/!] >>>> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"] >>>> [then]THEY MATCH - Let the user in[/then] >>>> [else]THEY DON'T MATCH - Release the hounds[/else] >>>> [/if] >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us WebDNA

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

SmithMicro at Macworld NY (2000) Error.html (1997) The List is Changing (1997) popups, netscape vs explorer (1997) Problems appending to database (1997) FORMS: Returning a specific page (1997) Grep to remove all characters except digits? (2002) Viewing old carts (was FEW QUESTIONS) (1997) Quickie question on the email templates (1997) WCS Newbie question (1997) Firesite cache vs webcat cache (1997) Re:[ShowIf] and empty fields (1997) Date Search (2004) Parameter vs. Operator (1998) Authorize.net, SIM, tcpconnect and applescript (2003) Filemaker Pro and [convertchars] (2000) Date Formats (1997) admin login weirdness (2000) Credit Card Checksum (1997) Counting LineItems (2000)