Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110775
interpreted = N
texte = --089e01536b6a310f7b04e7c82f8a Content-Type: text/plain; charset=UTF-8 Stuart, > [URL][URL][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL] Hi - that's what I have been using as well. The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed. One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash. The hash should not be MD5 or SHA1. Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords. I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified. - Tom --089e01536b6a310f7b04e7c82f8a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Stuart,


> =C2=A0[URL][URL][ENCRYPT s= eed=3Dsecret]password-value[/ENCRYPT][/URL][/URL]


Hi - that's what I have been using as w= ell. =C2=A0 The problem is that if the site is hacked the seed is accessibl= e and all of the passwords are immediately exposed.

One client in particular has been advised that password= s should only be stored after being salted and encrypted using a one-way ha= sh. =C2=A0 The hash should not be MD5 or SHA1. =C2=A0 Their concern is that= while a hack would be bad enough to deal with, it would be worse if they e= nded up exposing all of the users passwords, or were seen not to have taken= measures to protect the passwords.

I would like to continue to use [encrypt] but I can'= ;t figure out what algorithm is used if no seed is specified.
- Tom



--089e01536b6a310f7b04e7c82f8a-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
--089e01536b6a310f7b04e7c82f8a Content-Type: text/plain; charset=UTF-8 Stuart, > [url][url][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL] Hi - that's what I have been using as well. The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed. One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash. The hash should not be MD5 or SHA1. Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords. I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified. - Tom --089e01536b6a310f7b04e7c82f8a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Stuart,


> =C2=A0[url][url][ENCRYPT s= eed=3Dsecret]password-value[/ENCRYPT][/URL][/URL]


Hi - that's what I have been using as w= ell. =C2=A0 The problem is that if the site is hacked the seed is accessibl= e and all of the passwords are immediately exposed.

One client in particular has been advised that password= s should only be stored after being salted and encrypted using a one-way ha= sh. =C2=A0 The hash should not be MD5 or SHA1. =C2=A0 Their concern is that= while a hack would be bad enough to deal with, it would be worse if they e= nded up exposing all of the users passwords, or were seen not to have taken= measures to protect the passwords.

I would like to continue to use [encrypt] but I can'= ;t figure out what algorithm is used if no seed is specified.
- Tom



--089e01536b6a310f7b04e7c82f8a-- Tom Duke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WC Database Format (1997) WebCat2 beta 11 - new prefs ... (1997) Problem (1997) user/password validation (1998) [AppendFile] problem (WebCat2b13 Mac .acgi) (1997) Initiating NewCart (1997) 4.5 -> 6.0 Upgrade (2005) For those of you not on the WebCatalog Beta... (1997) Emailer help needed (1998) emailer w/F2 (1997) Problem 2: Prefs file... (1997) [off] Promotions/ECRC (1997) [WebDNA] WebDNA Corp (2008) WebCat and AppleShare 6.0 (1998) [OT] Communigate List (2003) Help name our technology! (1997) anyone using encrypted templates on non-US NT OS (1999) FlushDatabase Suggestion (1998) Major Security Hole IIS NT (1998) Cant open pages generated by Webcat (2004)