Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110776
interpreted = N
texte = --Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii You could store the seed as a variable in the global directory. On 03/10/2013, at 6:47 AM, Tom Duke wrote: > Stuart, >=20 >=20 > > [URL][URL][ENCRYPT seed=3Dsecret]password-value[/ENCRYPT][/URL][/URL]= >=20 >=20 > Hi - that's what I have been using as well. The problem is that if = the site is hacked the seed is accessible and all of the passwords are = immediately exposed. >=20 > One client in particular has been advised that passwords should only = be stored after being salted and encrypted using a one-way hash. The = hash should not be MD5 or SHA1. Their concern is that while a hack = would be bad enough to deal with, it would be worse if they ended up = exposing all of the users passwords, or were seen not to have taken = measures to protect the passwords. >=20 > I would like to continue to use [encrypt] but I can't figure out what = algorithm is used if no seed is specified. >=20 > - Tom >=20 >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii You could store the seed as a variable in the global directory.



On 03/10/2013, at 6:47 AM, Tom Duke <tom@revolutionaries.ie> wrote:

Stuart,


>  [URL][URL][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL]


Hi - that's what I have been using as well.   The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed.

One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash.   The hash should not be MD5 or SHA1.   Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords.

I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified.

- Tom



--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
--Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii You could store the seed as a variable in the global directory. On 03/10/2013, at 6:47 AM, Tom Duke wrote: > Stuart, >=20 >=20 > > [url][url][ENCRYPT seed=3Dsecret]password-value[/ENCRYPT][/URL][/URL]= >=20 >=20 > Hi - that's what I have been using as well. The problem is that if = the site is hacked the seed is accessible and all of the passwords are = immediately exposed. >=20 > One client in particular has been advised that passwords should only = be stored after being salted and encrypted using a one-way hash. The = hash should not be MD5 or SHA1. Their concern is that while a hack = would be bad enough to deal with, it would be worse if they ended up = exposing all of the users passwords, or were seen not to have taken = measures to protect the passwords. >=20 > I would like to continue to use [encrypt] but I can't figure out what = algorithm is used if no seed is specified. >=20 > - Tom >=20 >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii You could store the seed as a variable in the global directory.



On 03/10/2013, at 6:47 AM, Tom Duke <tom@revolutionaries.ie> wrote:

Stuart,


>  [url][url][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL]


Hi - that's what I have been using as well.   The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed.

One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash.   The hash should not be MD5 or SHA1.   Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords.

I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified.

- Tom



--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

--Apple-Mail=_DC0BF0EC-AA19-4A5B-8470-A864BE7A0FC7-- Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Secure server question (1997) New Featured Site (1999) WebCommerce: Folder organization ? (1997) 3.0 [TEXT] variables (1998) Electronic Delivery (1997) [WebDNA] Best WebDNA version for OS X Server 10.5.8 on PowerPC? (2010) Assigning Serialized Customer Numbers (1997) syntax question, not in online refernce (1997) Email Set-Up? (1997) WC on Linux question (2001) searching problem (1998) PCS Emailer's role ? (1997) WebCat2_Mac RETURNs in .db (1997) date (1998) add to cart within a page? (1997) Cart # Starting at 1000 (2000) Signal Raised (1997) weird G3 happenings (1998) [WebDNA] WebDNA Showcase? (2008) Add (1998)