Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110779
interpreted = N
texte = --001a1134a67a173b8104e7c8bedc Content-Type: text/plain; charset=UTF-8 Dan, Hi - thanks for your feedback - it's definitely helpful. One initial question re: your 256 char seed, I thought (from the docs) that the seed length was limited to eight characters? One idea I'm thinking through, which I pretty sure was mentioned on the list before, is to include a client specific seed and other things such as API keys in an encrypted template. Maybe set up a few custom functions on the template so the seed could never be exposed as a variable even if a hacker got access to the source code. A difficulty I have though is that I can't document to a client how [encrypt] and [cart] work. I use [encrypt] for storing passwords, and [cart] for generating session cookies. While I can understand that WebDNA may not want to divulge how these tags work, it leaves me with a situation where all I can say to a client is 'trust us'. I can't state the level of predictability of [cart], or the levels of cryptography used in [encrypt]. - Tom --001a1134a67a173b8104e7c8bedc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Dan,

Hi - thanks for your feedback - it= 's definitely helpful. =C2=A0 =C2=A0

One initi= al question re: your 256 char seed, I thought (from the docs) that the seed= length was limited to eight characters?=C2=A0

One idea I'm thinking through, which I pretty sure = was mentioned on the list before, is to include a client specific seed and = other things such as API keys in an encrypted template. =C2=A0Maybe set up = a few custom functions on the template so the seed could never be exposed a= s a variable even if a hacker got access to the source code.

A difficulty I have though is that I can't document= to a client how [encrypt] and [cart] work. =C2=A0 I use [encrypt] for stor= ing passwords, and [cart] for generating session cookies. =C2=A0=C2=A0

While I can understand that WebDNA may not want to divulge how these t= ags work, it leaves me with a situation where all I can say to a client is = 'trust us'. =C2=A0I can't state the level of predictability of = [cart], or the levels of cryptography used in [encrypt].=C2=A0

- Tom


--001a1134a67a173b8104e7c8bedc-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
--001a1134a67a173b8104e7c8bedc Content-Type: text/plain; charset=UTF-8 Dan, Hi - thanks for your feedback - it's definitely helpful. One initial question re: your 256 char seed, I thought (from the docs) that the seed length was limited to eight characters? One idea I'm thinking through, which I pretty sure was mentioned on the list before, is to include a client specific seed and other things such as API keys in an encrypted template. Maybe set up a few custom functions on the template so the seed could never be exposed as a variable even if a hacker got access to the source code. A difficulty I have though is that I can't document to a client how [encrypt] and [cart] work. I use [encrypt] for storing passwords, and [cart] for generating session cookies. While I can understand that WebDNA may not want to divulge how these tags work, it leaves me with a situation where all I can say to a client is 'trust us'. I can't state the level of predictability of [cart], or the levels of cryptography used in [encrypt]. - Tom --001a1134a67a173b8104e7c8bedc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Dan,

Hi - thanks for your feedback - it= 's definitely helpful. =C2=A0 =C2=A0

One initi= al question re: your 256 char seed, I thought (from the docs) that the seed= length was limited to eight characters?=C2=A0

One idea I'm thinking through, which I pretty sure = was mentioned on the list before, is to include a client specific seed and = other things such as API keys in an encrypted template. =C2=A0Maybe set up = a few custom functions on the template so the seed could never be exposed a= s a variable even if a hacker got access to the source code.

A difficulty I have though is that I can't document= to a client how [encrypt] and [cart] work. =C2=A0 I use [encrypt] for stor= ing passwords, and [cart] for generating session cookies. =C2=A0=C2=A0

While I can understand that WebDNA may not want to divulge how these t= ags work, it leaves me with a situation where all I can say to a client is = 'trust us'. =C2=A0I can't state the level of predictability of = [cart], or the levels of cryptography used in [encrypt].=C2=A0

- Tom


--001a1134a67a173b8104e7c8bedc-- Tom Duke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat2b13MacPlugIn - [include] doesn't allow creator (1997) WebCatalog2 Feature Feedback (1996) Help! WebCat2 bug (1997) RequiredFields template (1997) quotes and truncating? (1997) [ListFiles] & [loop] (1998) [WebDNA] Database Error -oRiGiNaL- (2012) show all problem (1997) Package Prices (2000) Forwarding Orders Via Email (1998) email program problem (1998) Progress Bar (2004) If Empty ? (1997) [SubTotal] ??? (1998) Plugin or CGI or both (1997) WebCatalog for Postcards ? (1997) Max Record length restated as maybe bug (1997) Adding multiple items to Cart at one time, & append contextproblem (1998) WebCatalog/Mac 2.1b2 - PIXO (1997) when will the list move? (nm) (2000)