Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110787
interpreted = N
texte = Better formatting here, in case email chews it up: http://danstrong.com/blog/secure-hashing-with-webdna/ -Dan Strong http://www.DanStrong.com On 10/3/2013 3:59 PM, Dan Strong wrote: > Using info from the link Stuart sent last night, I cobbled together > some functions to do "proper" hashing via WebDNA. If you find any > mistakes or have questions let me know. > > [!]-------------------------------------------------------------------------- > > One way to do "proper" hashing using WebDNA on linux/unix > See: https://crackstation.net/hashing-security.htm#properhashing > > Compact [function]s first, verbose & educational script after. > by Dan Strong - http://www.DanStrong.com > Free to use, no strings attached. > -------------------------------------------------------------------------[/!] > > > [!]------// FUNCTIONS //----------------------------[/!] > [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - > usage: "[danFunc_makeSalt]" --[/!] > [function name=danFunc_makeSalt] > [text]longRandomSalt=[getchars start=1&end=10][encrypt > seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo > $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] > [return][longRandomSalt][/return] > [/function] > > [!]-- "danFunc_saltHashPassword" (ex: > "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - > usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] > [function name=danFunc_saltHashPassword] > [text]saltedAndHashed=[shell]echo -n > [danFunc_makeSalt][pw] | sha256sum[/shell][/text] > [return][saltedAndHashed][/return] > [/function] > > > [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] > [text]theUsersPassword=password-they-provided[/text] > > [!]=========== TO STORE A PASSWORD ===============[/!] > [!]-- 1) Generate a long random salt using a CSPRNG (we're > using /dev/random)--[/!] > [text]longRandomSalt=[!] > [/!][getchars start=1&end=32][!] > [/!][encrypt seed=[shell]echo > $RANDOM[/shell]&method=blowfish][!] > [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] > [/!][/encrypt][!] > [/!][/getchars][!] > [/!][/text] > > [!]-- 2) Prepend the salt to the password and hash it with a > standard cryptographic hash function such as SHA256 --[/!] > [text]saltedAndHashed=[shell]echo -n > [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] > > [!]-- 3) Save both the salt and the hash in the user's > database record -- > [append] or [replace] to your db as appropriate > salt = [longRandomSalt] > hash = [saltedAndHashed] > -------------[/!] > > [!]=========== TO VALIDATE A PASSWORD ===============[/!] > [!]-- Test comparison by swapping password variable in STEP 2 > to either -SAME or -DIFF --[/!] > [text]theUsersPassword-SAME=[theUsersPassword][/text] > [text]theUsersPassword-DIFF=[random][random][random][/text] > > [!]-- 1) Retrieve the user's salt and hash from the database -- > [search] or [lookup] as approriate > - For illustrative purposes, pretend we actually retrieved... > - We know these values from above, so we'll set them up now > -------------[/!] > [text]saltFromDB=[longRandomSalt][/text] > [text]hashFromDB=[saltedAndHashed][/text] > > [!]-- 2) Prepend the salt to the given password and hash it > using the same hash function --[/!] > [text]saltedAndHashedFromDB=[shell]echo -n > [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] > > [!]-- 3) Compare the hash of the given password with the hash > from the database. If they match, the password is correct. Otherwise, > the password is incorrect --[/!] > [if "[hashfromDB]"="[saltedAndHashedFromDB]"] > [then]THEY MATCH - Let the user in[/then] > [else]THEY DON'T MATCH - Release the hounds[/else] > [/if] > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
Better formatting here, in case email chews it up: http://danstrong.com/blog/secure-hashing-with-webdna/ -Dan Strong http://www.DanStrong.com On 10/3/2013 3:59 PM, Dan Strong wrote: > Using info from the link Stuart sent last night, I cobbled together > some functions to do "proper" hashing via WebDNA. If you find any > mistakes or have questions let me know. > > [!]-------------------------------------------------------------------------- > > One way to do "proper" hashing using WebDNA on linux/unix > See: https://crackstation.net/hashing-security.htm#properhashing > > Compact [function]s first, verbose & educational script after. > by Dan Strong - http://www.DanStrong.com > Free to use, no strings attached. > -------------------------------------------------------------------------[/!] > > > [!]------// FUNCTIONS //----------------------------[/!] > [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - > usage: "[danFunc_makeSalt]" --[/!] > [function name=danFunc_makeSalt] > [text]longRandomSalt=[getchars start=1&end=10][encrypt > seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo > $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] > [return][longRandomSalt][/return] > [/function] > > [!]-- "danFunc_saltHashPassword" (ex: > "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - > usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] > [function name=danFunc_saltHashPassword] > [text]saltedAndHashed=[shell]echo -n > [danFunc_makeSalt][pw] | sha256sum[/shell][/text] > [return][saltedAndHashed][/return] > [/function] > > > [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] > [text]theUsersPassword=password-they-provided[/text] > > [!]=========== TO STORE A PASSWORD ===============[/!] > [!]-- 1) Generate a long random salt using a CSPRNG (we're > using /dev/random)--[/!] > [text]longRandomSalt=[!] > [/!][getchars start=1&end=32][!] > [/!][encrypt seed=[shell]echo > $RANDOM[/shell]&method=blowfish][!] > [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] > [/!][/encrypt][!] > [/!][/getchars][!] > [/!][/text] > > [!]-- 2) Prepend the salt to the password and hash it with a > standard cryptographic hash function such as SHA256 --[/!] > [text]saltedAndHashed=[shell]echo -n > [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] > > [!]-- 3) Save both the salt and the hash in the user's > database record -- > [append] or [replace] to your db as appropriate > salt = [longRandomSalt] > hash = [saltedAndHashed] > -------------[/!] > > [!]=========== TO VALIDATE A PASSWORD ===============[/!] > [!]-- Test comparison by swapping password variable in STEP 2 > to either -SAME or -DIFF --[/!] > [text]theUsersPassword-SAME=[theUsersPassword][/text] > [text]theUsersPassword-DIFF=[random][random][random][/text] > > [!]-- 1) Retrieve the user's salt and hash from the database -- > [search] or [lookup] as approriate > - For illustrative purposes, pretend we actually retrieved... > - We know these values from above, so we'll set them up now > -------------[/!] > [text]saltFromDB=[longRandomSalt][/text] > [text]hashFromDB=[saltedAndHashed][/text] > > [!]-- 2) Prepend the salt to the given password and hash it > using the same hash function --[/!] > [text]saltedAndHashedFromDB=[shell]echo -n > [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] > > [!]-- 3) Compare the hash of the given password with the hash > from the database. If they match, the password is correct. Otherwise, > the password is incorrect --[/!] > [if "[hashfromDB]"="[saltedAndHashedFromDB]"] > [then]THEY MATCH - Let the user in[/then] > [else]THEY DON'T MATCH - Release the hounds[/else] > [/if] > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Dan Strong

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat2: Items xx to xx shown, etc. (1997) WebCat2 several catalogs? (1997) WebCat2: multiple currency support (1997) WCf2 and nested tags (1997) RAM variables (1997) [ModDate] & [ModTime] ? (1997) DataBaseHelper Flawed (1997) (1997) Installation Woes (2003) [OT] DNS Problems (2004) Printing a final order (1997) [OT] WebCat 3.x (Mac) Lic. For Sale (2000) emailcompleted and emailproblem folders (2005) DON'T use old cart file! (1997) pulldown menu differences (2005) switching users (1998) RE: Just a thought (1998) taxRate is fine but taxTotal isn't (1997) Emailer Set Up (1997) WebMerchant/PayFlowPro (2003)