-Dan Stronghttp://www.DanStrong.comOn 10/3/2013 5:08 PM, Tom Duke wrote:
Dan,
Pretty impressive stuff - those functions are great.
Is there a reason you decided to use SHA-256 rather than SHA-512? Also on my platform anyway - WebDNA 6.2 on CentOS - I found that there is a stray carriage return when generating a hash using [shell]. So I use the following (the table allows pretty much any character to be used in a password):
[table name=prepHash&fields=from,to]$ \$\ \\` \`" \"[/table]
[getchars start=1&trim=both][shell]echo -n "[convertwords table=prepHash][the-salt][the-password][/convertwords]" | openssl dgst -sha512[/shell][/getchars]
- Tom
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list
==============================================
Digital Revolutionaries
1st Floor, Castleriver House
14-15 Parliament Street
Temple Bar,Dublin 2
Ireland
----------------------------------------------
[t]: + 353 1 4403907
[e]: <mailto:tom@revolutionaries.ie>
[w]: <http://www.revolutionaries.ie/>
==============================================
On 4 October 2013 00:13, Dan Strong <dan@danstrong.com> wrote:
I just found a small bug... meant to make the salt 32 chars long not 10, so it should be [getchars start=1&end=32] in "danFunc_makeSalt". I've corrected it on my blog.
-Dan Strong
http://www.DanStrong.com
On 10/3/2013 4:11 PM, WebDNA wrote:
I hadn't even thought about it until Tom posted the question the other day.
Thanks too to Tom for sparking the conversation.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au
On 04/10/2013, at 9:06 AM, Dan Strong <dan@danstrong.com> wrote:
:-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it.---------------------------------------------------------
It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying.
-Dan Strong
http://www.DanStrong.com
On 10/3/2013 4:03 PM, WebDNA wrote:
THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !!---------------------------------------------------------
I will use what you have done for a new site that I am developing.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au
On 04/10/2013, at 9:00 AM, Dan Strong <dan@danstrong.com> wrote:
Better formatting here, in case email chews it up:---------------------------------------------------------
http://danstrong.com/blog/secure-hashing-with-webdna/
-Dan Strong
http://www.DanStrong.com
On 10/3/2013 3:59 PM, Dan Strong wrote:
Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know.---------------------------------------------------------
[!]--------------------------------------------------------------------------
One way to do "proper" hashing using WebDNA on linux/unix
See: https://crackstation.net/hashing-security.htm#properhashing
Compact [function]s first, verbose & educational script after.
by Dan Strong - http://www.DanStrong.com
Free to use, no strings attached.
-------------------------------------------------------------------------[/!]
[!]------// FUNCTIONS //----------------------------[/!]
[!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!]
[function name=danFunc_makeSalt]
[text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]
[return][longRandomSalt][/return]
[/function]
[!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!]
[function name=danFunc_saltHashPassword]
[text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text]
[return][saltedAndHashed][/return]
[/function]
[!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]
[text]theUsersPassword=password-they-provided[/text]
[!]=========== TO STORE A PASSWORD ===============[/!]
[!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!]
[text]longRandomSalt=[!]
[/!][getchars start=1&end=32][!]
[/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!]
[/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]
[/!][/encrypt][!]
[/!][/getchars][!]
[/!][/text]
[!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!]
[text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]
[!]-- 3) Save both the salt and the hash in the user's database record --
[append] or [replace] to your db as appropriate
salt = [longRandomSalt]
hash = [saltedAndHashed]
-------------[/!]
[!]=========== TO VALIDATE A PASSWORD ===============[/!]
[!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!]
[text]theUsersPassword-SAME=[theUsersPassword][/text]
[text]theUsersPassword-DIFF=[random][random][random][/text]
[!]-- 1) Retrieve the user's salt and hash from the database --
[search] or [lookup] as approriate
- For illustrative purposes, pretend we actually retrieved...
- We know these values from above, so we'll set them up now
-------------[/!]
[text]saltFromDB=[longRandomSalt][/text]
[text]hashFromDB=[saltedAndHashed][/text]
[!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!]
[text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]
[!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!]
[if "[hashfromDB]"="[saltedAndHashedFromDB]"]
[then]THEY MATCH - Let the user in[/then]
[else]THEY DON'T MATCH - Release the hounds[/else]
[/if]
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
. To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
-Dan Stronghttp://www.DanStrong.comOn 10/3/2013 5:08 PM, Tom Duke wrote:
Dan,
Pretty impressive stuff - those functions are great.
Is there a reason you decided to use SHA-256 rather than SHA-512? Also on my platform anyway - WebDNA 6.2 on CentOS - I found that there is a stray carriage return when generating a hash using [shell]. So I use the following (the table allows pretty much any character to be used in a password):
[table name=prepHash&fields=from,to]$ \$\ \\` \`" \"[/table]
[getchars start=1&trim=both][shell]echo -n "[convertwords table=prepHash][the-salt][the-password][/convertwords]" | openssl dgst -sha512[/shell][/getchars]
- Tom
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list
==============================================
Digital Revolutionaries
1st Floor, Castleriver House
14-15 Parliament Street
Temple Bar,Dublin 2
Ireland
----------------------------------------------
[t]: + 353 1 4403907
[e]: <mailto:tom@revolutionaries.ie>
[w]: <http://www.revolutionaries.ie/>
==============================================
On 4 October 2013 00:13, Dan Strong <dan@danstrong.com> wrote:
I just found a small bug... meant to make the salt 32 chars long not 10, so it should be [getchars start=1&end=32] in "danFunc_makeSalt". I've corrected it on my blog.
-Dan Strong
http://www.DanStrong.com
On 10/3/2013 4:11 PM, WebDNA wrote:
I hadn't even thought about it until Tom posted the question the other day.
Thanks too to Tom for sparking the conversation.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au
On 04/10/2013, at 9:06 AM, Dan Strong <dan@danstrong.com> wrote:
:-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it.---------------------------------------------------------
It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying.
-Dan Strong
http://www.DanStrong.com
On 10/3/2013 4:03 PM, WebDNA wrote:
THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !!---------------------------------------------------------
I will use what you have done for a new site that I am developing.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au
On 04/10/2013, at 9:00 AM, Dan Strong <dan@danstrong.com> wrote:
Better formatting here, in case email chews it up:---------------------------------------------------------
http://danstrong.com/blog/secure-hashing-with-webdna/
-Dan Strong
http://www.DanStrong.com
On 10/3/2013 3:59 PM, Dan Strong wrote:
Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know.---------------------------------------------------------
[!]--------------------------------------------------------------------------
One way to do "proper" hashing using WebDNA on linux/unix
See: https://crackstation.net/hashing-security.htm#properhashing
Compact [function]s first, verbose & educational script after.
by Dan Strong - http://www.DanStrong.com
Free to use, no strings attached.
-------------------------------------------------------------------------[/!]
[!]------// FUNCTIONS //----------------------------[/!]
[!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!]
[function name=danFunc_makeSalt]
[text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]
[return][longRandomSalt][/return]
[/function]
[!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!]
[function name=danFunc_saltHashPassword]
[text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text]
[return][saltedAndHashed][/return]
[/function]
[!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]
[text]theUsersPassword=password-they-provided[/text]
[!]=========== TO STORE A PASSWORD ===============[/!]
[!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!]
[text]longRandomSalt=[!]
[/!][getchars start=1&end=32][!]
[/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!]
[/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]
[/!][/encrypt][!]
[/!][/getchars][!]
[/!][/text]
[!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!]
[text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]
[!]-- 3) Save both the salt and the hash in the user's database record --
[append] or [replace] to your db as appropriate
salt = [longRandomSalt]
hash = [saltedAndHashed]
-------------[/!]
[!]=========== TO VALIDATE A PASSWORD ===============[/!]
[!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!]
[text]theUsersPassword-SAME=[theUsersPassword][/text]
[text]theUsersPassword-DIFF=[random][random][random][/text]
[!]-- 1) Retrieve the user's salt and hash from the database --
[search] or [lookup] as approriate
- For illustrative purposes, pretend we actually retrieved...
- We know these values from above, so we'll set them up now
-------------[/!]
[text]saltFromDB=[longRandomSalt][/text]
[text]hashFromDB=[saltedAndHashed][/text]
[!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!]
[text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]
[!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!]
[if "[hashfromDB]"="[saltedAndHashedFromDB]"]
[then]THEY MATCH - Let the user in[/then]
[else]THEY DON'T MATCH - Release the hounds[/else]
[/if]
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <talk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: support@webdna.us
. To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...