Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110776
interpreted = N
texte = --Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii You could store the seed as a variable in the global directory. On 03/10/2013, at 6:47 AM, Tom Duke wrote: > Stuart, >=20 >=20 > > [URL][URL][ENCRYPT seed=3Dsecret]password-value[/ENCRYPT][/URL][/URL]= >=20 >=20 > Hi - that's what I have been using as well. The problem is that if = the site is hacked the seed is accessible and all of the passwords are = immediately exposed. >=20 > One client in particular has been advised that passwords should only = be stored after being salted and encrypted using a one-way hash. The = hash should not be MD5 or SHA1. Their concern is that while a hack = would be bad enough to deal with, it would be worse if they ended up = exposing all of the users passwords, or were seen not to have taken = measures to protect the passwords. >=20 > I would like to continue to use [encrypt] but I can't figure out what = algorithm is used if no seed is specified. >=20 > - Tom >=20 >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii You could store the seed as a variable in the global directory.



On 03/10/2013, at 6:47 AM, Tom Duke <tom@revolutionaries.ie> wrote:

Stuart,


>  [URL][URL][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL]


Hi - that's what I have been using as well.   The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed.

One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash.   The hash should not be MD5 or SHA1.   Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords.

I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified.

- Tom



--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
--Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii You could store the seed as a variable in the global directory. On 03/10/2013, at 6:47 AM, Tom Duke wrote: > Stuart, >=20 >=20 > > [url][url][ENCRYPT seed=3Dsecret]password-value[/ENCRYPT][/URL][/URL]= >=20 >=20 > Hi - that's what I have been using as well. The problem is that if = the site is hacked the seed is accessible and all of the passwords are = immediately exposed. >=20 > One client in particular has been advised that passwords should only = be stored after being salted and encrypted using a one-way hash. The = hash should not be MD5 or SHA1. Their concern is that while a hack = would be bad enough to deal with, it would be worse if they ended up = exposing all of the users passwords, or were seen not to have taken = measures to protect the passwords. >=20 > I would like to continue to use [encrypt] but I can't figure out what = algorithm is used if no seed is specified. >=20 > - Tom >=20 >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii You could store the seed as a variable in the global directory.



On 03/10/2013, at 6:47 AM, Tom Duke <tom@revolutionaries.ie> wrote:

Stuart,


>  [url][url][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL]


Hi - that's what I have been using as well.   The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed.

One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash.   The hash should not be MD5 or SHA1.   Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords.

I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified.

- Tom



--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7-- Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

What is WebDNA (1997) [group] ? (1997) Interfacing WebMerchant to www.fedex.com (1997) Multiple Pulldowns (1997) FAX orders (1996) Nested tags count question (1997) Parameter vs. Operator (1998) Zip Code Radius Search Tool (2003) Carts in Admin folder? (1999) need help with [sendmail] and [showif]s (1998) URL for Discussion Archive (1997) [Announce]: Web server security and password protection (1997) Cancel Subscription (1996) passing search criteria (1997) Limitations on fields? Server is crashing (1997) $Quit, $CloseDatabase corrections (1997) Emailer problems solved (1997) ledata&gedata in same search (1996) [isfile] ? (1997) trouble updating records in database (1998)