Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110787
interpreted = N
texte = Better formatting here, in case email chews it up: http://danstrong.com/blog/secure-hashing-with-webdna/ -Dan Strong http://www.DanStrong.com On 10/3/2013 3:59 PM, Dan Strong wrote: > Using info from the link Stuart sent last night, I cobbled together > some functions to do "proper" hashing via WebDNA. If you find any > mistakes or have questions let me know. > > [!]-------------------------------------------------------------------------- > > One way to do "proper" hashing using WebDNA on linux/unix > See: https://crackstation.net/hashing-security.htm#properhashing > > Compact [function]s first, verbose & educational script after. > by Dan Strong - http://www.DanStrong.com > Free to use, no strings attached. > -------------------------------------------------------------------------[/!] > > > [!]------// FUNCTIONS //----------------------------[/!] > [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - > usage: "[danFunc_makeSalt]" --[/!] > [function name=danFunc_makeSalt] > [text]longRandomSalt=[getchars start=1&end=10][encrypt > seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo > $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] > [return][longRandomSalt][/return] > [/function] > > [!]-- "danFunc_saltHashPassword" (ex: > "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - > usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] > [function name=danFunc_saltHashPassword] > [text]saltedAndHashed=[shell]echo -n > [danFunc_makeSalt][pw] | sha256sum[/shell][/text] > [return][saltedAndHashed][/return] > [/function] > > > [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] > [text]theUsersPassword=password-they-provided[/text] > > [!]=========== TO STORE A PASSWORD ===============[/!] > [!]-- 1) Generate a long random salt using a CSPRNG (we're > using /dev/random)--[/!] > [text]longRandomSalt=[!] > [/!][getchars start=1&end=32][!] > [/!][encrypt seed=[shell]echo > $RANDOM[/shell]&method=blowfish][!] > [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] > [/!][/encrypt][!] > [/!][/getchars][!] > [/!][/text] > > [!]-- 2) Prepend the salt to the password and hash it with a > standard cryptographic hash function such as SHA256 --[/!] > [text]saltedAndHashed=[shell]echo -n > [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] > > [!]-- 3) Save both the salt and the hash in the user's > database record -- > [append] or [replace] to your db as appropriate > salt = [longRandomSalt] > hash = [saltedAndHashed] > -------------[/!] > > [!]=========== TO VALIDATE A PASSWORD ===============[/!] > [!]-- Test comparison by swapping password variable in STEP 2 > to either -SAME or -DIFF --[/!] > [text]theUsersPassword-SAME=[theUsersPassword][/text] > [text]theUsersPassword-DIFF=[random][random][random][/text] > > [!]-- 1) Retrieve the user's salt and hash from the database -- > [search] or [lookup] as approriate > - For illustrative purposes, pretend we actually retrieved... > - We know these values from above, so we'll set them up now > -------------[/!] > [text]saltFromDB=[longRandomSalt][/text] > [text]hashFromDB=[saltedAndHashed][/text] > > [!]-- 2) Prepend the salt to the given password and hash it > using the same hash function --[/!] > [text]saltedAndHashedFromDB=[shell]echo -n > [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] > > [!]-- 3) Compare the hash of the given password with the hash > from the database. If they match, the password is correct. Otherwise, > the password is incorrect --[/!] > [if "[hashfromDB]"="[saltedAndHashedFromDB]"] > [then]THEY MATCH - Let the user in[/then] > [else]THEY DON'T MATCH - Release the hounds[/else] > [/if] > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
Better formatting here, in case email chews it up: http://danstrong.com/blog/secure-hashing-with-webdna/ -Dan Strong http://www.DanStrong.com On 10/3/2013 3:59 PM, Dan Strong wrote: > Using info from the link Stuart sent last night, I cobbled together > some functions to do "proper" hashing via WebDNA. If you find any > mistakes or have questions let me know. > > [!]-------------------------------------------------------------------------- > > One way to do "proper" hashing using WebDNA on linux/unix > See: https://crackstation.net/hashing-security.htm#properhashing > > Compact [function]s first, verbose & educational script after. > by Dan Strong - http://www.DanStrong.com > Free to use, no strings attached. > -------------------------------------------------------------------------[/!] > > > [!]------// FUNCTIONS //----------------------------[/!] > [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - > usage: "[danFunc_makeSalt]" --[/!] > [function name=danFunc_makeSalt] > [text]longRandomSalt=[getchars start=1&end=10][encrypt > seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo > $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] > [return][longRandomSalt][/return] > [/function] > > [!]-- "danFunc_saltHashPassword" (ex: > "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - > usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] > [function name=danFunc_saltHashPassword] > [text]saltedAndHashed=[shell]echo -n > [danFunc_makeSalt][pw] | sha256sum[/shell][/text] > [return][saltedAndHashed][/return] > [/function] > > > [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] > [text]theUsersPassword=password-they-provided[/text] > > [!]=========== TO STORE A PASSWORD ===============[/!] > [!]-- 1) Generate a long random salt using a CSPRNG (we're > using /dev/random)--[/!] > [text]longRandomSalt=[!] > [/!][getchars start=1&end=32][!] > [/!][encrypt seed=[shell]echo > $RANDOM[/shell]&method=blowfish][!] > [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] > [/!][/encrypt][!] > [/!][/getchars][!] > [/!][/text] > > [!]-- 2) Prepend the salt to the password and hash it with a > standard cryptographic hash function such as SHA256 --[/!] > [text]saltedAndHashed=[shell]echo -n > [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] > > [!]-- 3) Save both the salt and the hash in the user's > database record -- > [append] or [replace] to your db as appropriate > salt = [longRandomSalt] > hash = [saltedAndHashed] > -------------[/!] > > [!]=========== TO VALIDATE A PASSWORD ===============[/!] > [!]-- Test comparison by swapping password variable in STEP 2 > to either -SAME or -DIFF --[/!] > [text]theUsersPassword-SAME=[theUsersPassword][/text] > [text]theUsersPassword-DIFF=[random][random][random][/text] > > [!]-- 1) Retrieve the user's salt and hash from the database -- > [search] or [lookup] as approriate > - For illustrative purposes, pretend we actually retrieved... > - We know these values from above, so we'll set them up now > -------------[/!] > [text]saltFromDB=[longRandomSalt][/text] > [text]hashFromDB=[saltedAndHashed][/text] > > [!]-- 2) Prepend the salt to the given password and hash it > using the same hash function --[/!] > [text]saltedAndHashedFromDB=[shell]echo -n > [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] > > [!]-- 3) Compare the hash of the given password with the hash > from the database. If they match, the password is correct. Otherwise, > the password is incorrect --[/!] > [if "[hashfromDB]"="[saltedAndHashedFromDB]"] > [then]THEY MATCH - Let the user in[/then] > [else]THEY DON'T MATCH - Release the hounds[/else] > [/if] > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Dan Strong

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

carriage returns in data (1997) Possible Bug in 2.0b15.acgi (1997) Showif, Hideif reverse logic ? (1997) WebCat2 - Getting to the browser's username/password data (1997) Documentation Feedback (1997) Dates (1996) Use of Back and Reload Buttons on ShoppingCart page? (1997) Generating Report Totals (1997) RE: WebDNA-Talk searchable? (1997) Searching multiple fields from one form field (1997) Physical Security for WebCatalog Directories (1997) Help name our technology! (1997) WebCatalog can't find database (1997) WebCatalog for Postcards ? (1997) syntax question, not in online refernce (1997) What is WebDNA (1997) LAST CHANCE! Anyone have a one-to-one messaging system? (1999) Credit Card Verification.... (1998) Emailer setup (1997) docs for WebCatalog2 (1997)