numero = 110777
interpreted = N
texte = This is a multi-part message in MIME format. --------------080801080407040801050301 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Tom, Again, I don't know the answer to your direct question (I think only WSC can answer it definitively) so I apologize if my input is unhelpful, but I have taken a very keen interest in encryption/security over the past few years and some of the things I've been doing to harden WebDNA sites is stuff like this: [encrypt seed=[include ^top-secret-seed-file.inc]&method=blowfish]salt-value.password-value[/encrypt] "top-secret-seed-file.inc" contains a randomly generated string of nonsense (256 chars/512 chars etc., whatever... basically a "key file" Not perfect of course since if someone hacks in they can probably access /Globals/, but still better than hard-coding into pages. As an added step, I also re-generate the key file on another server periodically then rsync it via ssh over to /Globals/ on target server. Only plausible of course if you then decrypt/re-encrypt everything that needs to be decrypted at some point in future, so ok if you're just re-encrypting passwords in a database or simply using to temporarily mask variables in a url or something simple like that, but painful if you have a large/complex site with many things being encrypted. I have other thought/ideas/methods, but am pressed for time. Feel free to contact me on or off list if you want to discuss further. -Dan Strong http://www.DanStrong.com On 10/2/2013 1:47 PM, Tom Duke wrote: > Stuart, > > > > [URL][URL][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL] > > > Hi - that's what I have been using as well. The problem is that if > the site is hacked the seed is accessible and all of the passwords are > immediately exposed. > > One client in particular has been advised that passwords should only > be stored after being salted and encrypted using a one-way hash. The > hash should not be MD5 or SHA1. Their concern is that while a hack > would be bad enough to deal with, it would be worse if they ended up > exposing all of the users passwords, or were seen not to have taken > measures to protect the passwords. > > I would like to continue to use [encrypt] but I can't figure out what > algorithm is used if no seed is specified. > > - Tom > > > > --------------------------------------------------------- This message > is sent to you because you are subscribed to the mailing list . To > unsubscribe, E-mail to: archives: > http://mail.webdna.us/list/talk@webdna.us Bug Reporting: > support@webdna.us --------------080801080407040801050301 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Tom,
Again, I don't know the answer to your direct question (I think only WSC can answer it definitively) so I apologize if my input is unhelpful, but I have taken a very keen interest in encryption/security over the past few years and some of the things I've been doing to harden WebDNA sites is stuff like this:
[encrypt seed=[include ^top-secret-seed-file.inc]&method=blowfish]salt-value.password-value[/encrypt] "top-secret-seed-file.inc" contains a randomly generated string of nonsense (256 chars/512 chars etc., whatever... basically a "key file"
Not perfect of course since if someone hacks in they can probably access /Globals/, but still better than hard-coding into pages.
As an added step, I also re-generate the key file on another server periodically then rsync it via ssh over to /Globals/ on target server. Only plausible of course if you then decrypt/re-encrypt everything that needs to be decrypted at some point in future, so ok if you're just re-encrypting passwords in a database or simply using to temporarily mask variables in a url or something simple like that, but painful if you have a large/complex site with many things being encrypted.
I have other thought/ideas/methods, but am pressed for time. Feel free to contact me on or off list if you want to discuss further.
Hi - that's what I have been using as well. The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed.
One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash. The hash should not be MD5 or SHA1. Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords.
I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified.
- Tom
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us --------------080801080407040801050301--
Associated Messages, from the most recent to the oldest:
This is a multi-part message in MIME format. --------------080801080407040801050301 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Tom, Again, I don't know the answer to your direct question (I think only WSC can answer it definitively) so I apologize if my input is unhelpful, but I have taken a very keen interest in encryption/security over the past few years and some of the things I've been doing to harden WebDNA sites is stuff like this: [encrypt seed=[include ^top-secret-seed-file.inc]&method=blowfish]salt-value.password-value[/encrypt] "top-secret-seed-file.inc" contains a randomly generated string of nonsense (256 chars/512 chars etc., whatever... basically a "key file" Not perfect of course since if someone hacks in they can probably access /Globals/, but still better than hard-coding into pages. As an added step, I also re-generate the key file on another server periodically then rsync it via ssh over to /Globals/ on target server. Only plausible of course if you then decrypt/re-encrypt everything that needs to be decrypted at some point in future, so ok if you're just re-encrypting passwords in a database or simply using to temporarily mask variables in a url or something simple like that, but painful if you have a large/complex site with many things being encrypted. I have other thought/ideas/methods, but am pressed for time. Feel free to contact me on or off list if you want to discuss further. -Dan Strong http://www.DanStrong.com On 10/2/2013 1:47 PM, Tom Duke wrote: > Stuart, > > > > [url][url][ENCRYPT seed=secret]password-value[/ENCRYPT][/URL][/URL] > > > Hi - that's what I have been using as well. The problem is that if > the site is hacked the seed is accessible and all of the passwords are > immediately exposed. > > One client in particular has been advised that passwords should only > be stored after being salted and encrypted using a one-way hash. The > hash should not be MD5 or SHA1. Their concern is that while a hack > would be bad enough to deal with, it would be worse if they ended up > exposing all of the users passwords, or were seen not to have taken > measures to protect the passwords. > > I would like to continue to use [encrypt] but I can't figure out what > algorithm is used if no seed is specified. > > - Tom > > > > --------------------------------------------------------- This message > is sent to you because you are subscribed to the mailing list . To > unsubscribe, E-mail to: archives: > http://mail.webdna.us/list/talk@webdna.us Bug Reporting: > support@webdna.us --------------080801080407040801050301 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Tom,
Again, I don't know the answer to your direct question (I think only WSC can answer it definitively) so I apologize if my input is unhelpful, but I have taken a very keen interest in encryption/security over the past few years and some of the things I've been doing to harden WebDNA sites is stuff like this:
[encrypt seed=[include ^top-secret-seed-file.inc]&method=blowfish]salt-value.password-value[/encrypt] "top-secret-seed-file.inc" contains a randomly generated string of nonsense (256 chars/512 chars etc., whatever... basically a "key file"
Not perfect of course since if someone hacks in they can probably access /Globals/, but still better than hard-coding into pages.
As an added step, I also re-generate the key file on another server periodically then rsync it via ssh over to /Globals/ on target server. Only plausible of course if you then decrypt/re-encrypt everything that needs to be decrypted at some point in future, so ok if you're just re-encrypting passwords in a database or simply using to temporarily mask variables in a url or something simple like that, but painful if you have a large/complex site with many things being encrypted.
I have other thought/ideas/methods, but am pressed for time. Feel free to contact me on or off list if you want to discuss further.
Hi - that's what I have been using as well. The problem is that if the site is hacked the seed is accessible and all of the passwords are immediately exposed.
One client in particular has been advised that passwords should only be stored after being salted and encrypted using a one-way hash. The hash should not be MD5 or SHA1. Their concern is that while a hack would be bad enough to deal with, it would be worse if they ended up exposing all of the users passwords, or were seen not to have taken measures to protect the passwords.
I would like to continue to use [encrypt] but I can't figure out what algorithm is used if no seed is specified.
- Tom
--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us --------------080801080407040801050301--
Dan Strong
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...