Re: [WebDNA] Best practice re: password storage
This WebDNA talk-list message is from 2013
It keeps the original formatting.
numero = 110787
interpreted = N
texte = Better formatting here, in case email chews it up:http://danstrong.com/blog/secure-hashing-with-webdna/-Dan Stronghttp://www.DanStrong.comOn 10/3/2013 3:59 PM, Dan Strong wrote:> Using info from the link Stuart sent last night, I cobbled together > some functions to do "proper" hashing via WebDNA. If you find any > mistakes or have questions let me know.>> [!]-------------------------------------------------------------------------- >> One way to do "proper" hashing using WebDNA on linux/unix> See: https://crackstation.net/hashing-security.htm#properhashing>> Compact [function]s first, verbose & educational script after.> by Dan Strong - http://www.DanStrong.com> Free to use, no strings attached.> -------------------------------------------------------------------------[/!] >>> [!]------// FUNCTIONS //----------------------------[/!]> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - > usage: "[danFunc_makeSalt]" --[/!]> [function name=danFunc_makeSalt]> [text]longRandomSalt=[getchars start=1&end=10][encrypt > seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo > $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]> [return][longRandomSalt][/return]> [/function]>> [!]-- "danFunc_saltHashPassword" (ex: > "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - > usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!]> [function name=danFunc_saltHashPassword]> [text]saltedAndHashed=[shell]echo -n > [danFunc_makeSalt][pw] | sha256sum[/shell][/text]> [return][saltedAndHashed][/return]> [/function]>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]> [text]theUsersPassword=password-they-provided[/text]>> [!]=========== TO STORE A PASSWORD ===============[/!]> [!]-- 1) Generate a long random salt using a CSPRNG (we're > using /dev/random)--[/!]> [text]longRandomSalt=[!]> [/!][getchars start=1&end=32][!]> [/!][encrypt seed=[shell]echo > $RANDOM[/shell]&method=blowfish][!]> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]> [/!][/encrypt][!]> [/!][/getchars][!]> [/!][/text]>> [!]-- 2) Prepend the salt to the password and hash it with a > standard cryptographic hash function such as SHA256 --[/!]> [text]saltedAndHashed=[shell]echo -n > [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]>> [!]-- 3) Save both the salt and the hash in the user's > database record --> [append] or [replace] to your db as appropriate> salt = [longRandomSalt]> hash = [saltedAndHashed]> -------------[/!]>> [!]=========== TO VALIDATE A PASSWORD ===============[/!]> [!]-- Test comparison by swapping password variable in STEP 2 > to either -SAME or -DIFF --[/!]> [text]theUsersPassword-SAME=[theUsersPassword][/text]> [text]theUsersPassword-DIFF=[random][random][random][/text]>> [!]-- 1) Retrieve the user's salt and hash from the database --> [search] or [lookup] as approriate> - For illustrative purposes, pretend we actually retrieved...> - We know these values from above, so we'll set them up now> -------------[/!]> [text]saltFromDB=[longRandomSalt][/text]> [text]hashFromDB=[saltedAndHashed][/text]>> [!]-- 2) Prepend the salt to the given password and hash it > using the same hash function --[/!]> [text]saltedAndHashedFromDB=[shell]echo -n > [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]>> [!]-- 3) Compare the hash of the given password with the hash > from the database. If they match, the password is correct. Otherwise, > the password is incorrect --[/!]> [if "[hashfromDB]"="[saltedAndHashedFromDB]"]> [then]THEY MATCH - Let the user in[/then]> [else]THEY DON'T MATCH - Release the hounds[/else]> [/if]> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list
.> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Associated Messages, from the most recent to the oldest:
Better formatting here, in case email chews it up:http://danstrong.com/blog/secure-hashing-with-webdna/-Dan Stronghttp://www.DanStrong.comOn 10/3/2013 3:59 PM, Dan Strong wrote:> Using info from the link Stuart sent last night, I cobbled together > some functions to do "proper" hashing via WebDNA. If you find any > mistakes or have questions let me know.>> [!]-------------------------------------------------------------------------- >> One way to do "proper" hashing using WebDNA on linux/unix> See: https://crackstation.net/hashing-security.htm#properhashing>> Compact [function]s first, verbose & educational script after.> by Dan Strong - http://www.DanStrong.com> Free to use, no strings attached.> -------------------------------------------------------------------------[/!] >>> [!]------// FUNCTIONS //----------------------------[/!]> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - > usage: "[danFunc_makeSalt]" --[/!]> [function name=danFunc_makeSalt]> [text]longRandomSalt=[getchars start=1&end=10][encrypt > seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo > $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]> [return][longRandomSalt][/return]> [/function]>> [!]-- "danFunc_saltHashPassword" (ex: > "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - > usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!]> [function name=danFunc_saltHashPassword]> [text]saltedAndHashed=[shell]echo -n > [danFunc_makeSalt][pw] | sha256sum[/shell][/text]> [return][saltedAndHashed][/return]> [/function]>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]> [text]theUsersPassword=password-they-provided[/text]>> [!]=========== TO STORE A PASSWORD ===============[/!]> [!]-- 1) Generate a long random salt using a CSPRNG (we're > using /dev/random)--[/!]> [text]longRandomSalt=[!]> [/!][getchars start=1&end=32][!]> [/!][encrypt seed=[shell]echo > $RANDOM[/shell]&method=blowfish][!]> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]> [/!][/encrypt][!]> [/!][/getchars][!]> [/!][/text]>> [!]-- 2) Prepend the salt to the password and hash it with a > standard cryptographic hash function such as SHA256 --[/!]> [text]saltedAndHashed=[shell]echo -n > [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]>> [!]-- 3) Save both the salt and the hash in the user's > database record --> [append] or [replace] to your db as appropriate> salt = [longRandomSalt]> hash = [saltedAndHashed]> -------------[/!]>> [!]=========== TO VALIDATE A PASSWORD ===============[/!]> [!]-- Test comparison by swapping password variable in STEP 2 > to either -SAME or -DIFF --[/!]> [text]theUsersPassword-SAME=[theUsersPassword][/text]> [text]theUsersPassword-DIFF=[random][random][random][/text]>> [!]-- 1) Retrieve the user's salt and hash from the database --> [search] or [lookup] as approriate> - For illustrative purposes, pretend we actually retrieved...> - We know these values from above, so we'll set them up now> -------------[/!]> [text]saltFromDB=[longRandomSalt][/text]> [text]hashFromDB=[saltedAndHashed][/text]>> [!]-- 2) Prepend the salt to the given password and hash it > using the same hash function --[/!]> [text]saltedAndHashedFromDB=[shell]echo -n > [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]>> [!]-- 3) Compare the hash of the given password with the hash > from the database. If they match, the password is correct. Otherwise, > the password is incorrect --[/!]> [if "[hashfromDB]"="[saltedAndHashedFromDB]"]> [then]THEY MATCH - Let the user in[/then]> [else]THEY DON'T MATCH - Release the hounds[/else]> [/if]> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Dan Strong
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
WebCat2: Items xx to xx shown, etc. (1997)
WebCat2 several catalogs? (1997)
WebCat2: multiple currency support (1997)
WCf2 and nested tags (1997)
RAM variables (1997)
[ModDate] & [ModTime] ? (1997)
DataBaseHelper Flawed (1997)
(1997)
Installation Woes (2003)
[OT] DNS Problems (2004)
Printing a final order (1997)
[OT] WebCat 3.x (Mac) Lic. For Sale (2000)
emailcompleted and emailproblem folders (2005)
DON'T use old cart file! (1997)
pulldown menu differences (2005)
switching users (1998)
RE: Just a thought (1998)
taxRate is fine but taxTotal isn't (1997)
Emailer Set Up (1997)
WebMerchant/PayFlowPro (2003)