Re: [WebDNA] Best practice re: password storage
This WebDNA talk-list message is from 2013
It keeps the original formatting.
numero = 110788
interpreted = N
texte = THAT'S GREAT DAN, I will have to post you a few more ideas for you to do =the hard work !!I will use what you have done for a new site that I am developing.RegardsStuart TremainIDFK Web DevelopmentsAUSTRALIAwebdna@idfk.com.auOn 04/10/2013, at 9:00 AM, Dan Strong
wrote:> Better formatting here, in case email chews it up:> http://danstrong.com/blog/secure-hashing-with-webdna/>=20> -Dan Strong> http://www.DanStrong.com>=20> On 10/3/2013 3:59 PM, Dan Strong wrote:>> Using info from the link Stuart sent last night, I cobbled together =some functions to do "proper" hashing via WebDNA. If you find any =mistakes or have questions let me know.>>=20>> =[!]-----------------------------------------------------------------------=---=20>> One way to do "proper" hashing using WebDNA on linux/unix>> See: https://crackstation.net/hashing-security.htm#properhashing>>=20>> Compact [function]s first, verbose & educational script after.>> by Dan Strong - http://www.DanStrong.com>> Free to use, no strings attached.>> =-------------------------------------------------------------------------[=/!]=20>>=20>> [!]------// FUNCTIONS //----------------------------[/!]>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - =usage: "[danFunc_makeSalt]" --[/!]>> [function name=3DdanFunc_makeSalt]>> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encrypt= seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo =$RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]>> [return][longRandomSalt][/return]>> [/function]>>=20>> [!]-- "danFunc_saltHashPassword" (ex: ="e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - =usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!]>> [function name=3DdanFunc_saltHashPassword]>> [text]saltedAndHashed=3D[shell]echo -n =[danFunc_makeSalt][pw] | sha256sum[/shell][/text]>> [return][saltedAndHashed][/return]>> [/function]>>=20>>=20>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]>> [text]theUsersPassword=3Dpassword-they-provided[/text]>>=20>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD ==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]>> [!]-- 1) Generate a long random salt using a CSPRNG (we're =using /dev/random)--[/!]>> [text]longRandomSalt=3D[!]>> [/!][getchars start=3D1&end=3D32][!]>> [/!][encrypt seed=3D[shell]echo =$RANDOM[/shell]&method=3Dblowfish][!]>> [/!][shell]echo =$RANDOM$RANDOM$RANDOM[/shell][!]>> [/!][/encrypt][!]>> [/!][/getchars][!]>> [/!][/text]>>=20>> [!]-- 2) Prepend the salt to the password and hash it with a =standard cryptographic hash function such as SHA256 --[/!]>> [text]saltedAndHashed=3D[shell]echo -n =[longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]>>=20>> [!]-- 3) Save both the salt and the hash in the user's =database record -->> [append] or [replace] to your db as appropriate>> salt =3D [longRandomSalt]>> hash =3D [saltedAndHashed]>> -------------[/!]>>=20>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD ==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]>> [!]-- Test comparison by swapping password variable in STEP 2 =to either -SAME or -DIFF --[/!]>> [text]theUsersPassword-SAME=3D[theUsersPassword][/text]>> [text]theUsersPassword-DIFF=3D[random][random][random][/text]>>=20>> [!]-- 1) Retrieve the user's salt and hash from the database =-->> [search] or [lookup] as approriate>> - For illustrative purposes, pretend we actually =retrieved...>> - We know these values from above, so we'll set them up =now>> -------------[/!]>> [text]saltFromDB=3D[longRandomSalt][/text]>> [text]hashFromDB=3D[saltedAndHashed][/text]>>=20>> [!]-- 2) Prepend the salt to the given password and hash it =using the same hash function --[/!]>> [text]saltedAndHashedFromDB=3D[shell]echo -n =[saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]>>=20>> [!]-- 3) Compare the hash of the given password with the hash =from the database. If they match, the password is correct. Otherwise, =the password is incorrect --[/!]>> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"]>> [then]THEY MATCH - Let the user in[/then]>> [else]THEY DON'T MATCH - Release the hounds[/else]>> [/if]>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us>=20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Associated Messages, from the most recent to the oldest:
THAT'S GREAT DAN, I will have to post you a few more ideas for you to do =the hard work !!I will use what you have done for a new site that I am developing.RegardsStuart TremainIDFK Web DevelopmentsAUSTRALIAwebdna@idfk.com.auOn 04/10/2013, at 9:00 AM, Dan Strong wrote:> Better formatting here, in case email chews it up:> http://danstrong.com/blog/secure-hashing-with-webdna/>=20> -Dan Strong> http://www.DanStrong.com>=20> On 10/3/2013 3:59 PM, Dan Strong wrote:>> Using info from the link Stuart sent last night, I cobbled together =some functions to do "proper" hashing via WebDNA. If you find any =mistakes or have questions let me know.>>=20>> =[!]-----------------------------------------------------------------------=---=20>> One way to do "proper" hashing using WebDNA on linux/unix>> See: https://crackstation.net/hashing-security.htm#properhashing>>=20>> Compact [function]s first, verbose & educational script after.>> by Dan Strong - http://www.DanStrong.com>> Free to use, no strings attached.>> =-------------------------------------------------------------------------[=/!]=20>>=20>> [!]------// FUNCTIONS //----------------------------[/!]>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - =usage: "[danFunc_makeSalt]" --[/!]>> [function name=3DdanFunc_makeSalt]>> [text]longRandomSalt=3D[getchars start=3D1&end=3D10][encrypt= seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][shell]echo =$RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text]>> [return][longRandomSalt][/return]>> [/function]>>=20>> [!]-- "danFunc_saltHashPassword" (ex: ="e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - =usage: "[danFunc_saltHashPassword pw=3DsomePassword]" --[/!]>> [function name=3DdanFunc_saltHashPassword]>> [text]saltedAndHashed=3D[shell]echo -n =[danFunc_makeSalt][pw] | sha256sum[/shell][/text]>> [return][saltedAndHashed][/return]>> [/function]>>=20>>=20>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!]>> [text]theUsersPassword=3Dpassword-they-provided[/text]>>=20>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD ==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]>> [!]-- 1) Generate a long random salt using a CSPRNG (we're =using /dev/random)--[/!]>> [text]longRandomSalt=3D[!]>> [/!][getchars start=3D1&end=3D32][!]>> [/!][encrypt seed=3D[shell]echo =$RANDOM[/shell]&method=3Dblowfish][!]>> [/!][shell]echo =$RANDOM$RANDOM$RANDOM[/shell][!]>> [/!][/encrypt][!]>> [/!][/getchars][!]>> [/!][/text]>>=20>> [!]-- 2) Prepend the salt to the password and hash it with a =standard cryptographic hash function such as SHA256 --[/!]>> [text]saltedAndHashed=3D[shell]echo -n =[longRandomSalt][theUsersPassword] | sha256sum[/shell][/text]>>=20>> [!]-- 3) Save both the salt and the hash in the user's =database record -->> [append] or [replace] to your db as appropriate>> salt =3D [longRandomSalt]>> hash =3D [saltedAndHashed]>> -------------[/!]>>=20>> [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD ==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]>> [!]-- Test comparison by swapping password variable in STEP 2 =to either -SAME or -DIFF --[/!]>> [text]theUsersPassword-SAME=3D[theUsersPassword][/text]>> [text]theUsersPassword-DIFF=3D[random][random][random][/text]>>=20>> [!]-- 1) Retrieve the user's salt and hash from the database =-->> [search] or [lookup] as approriate>> - For illustrative purposes, pretend we actually =retrieved...>> - We know these values from above, so we'll set them up =now>> -------------[/!]>> [text]saltFromDB=3D[longRandomSalt][/text]>> [text]hashFromDB=3D[saltedAndHashed][/text]>>=20>> [!]-- 2) Prepend the salt to the given password and hash it =using the same hash function --[/!]>> [text]saltedAndHashedFromDB=3D[shell]echo -n =[saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text]>>=20>> [!]-- 3) Compare the hash of the given password with the hash =from the database. If they match, the password is correct. Otherwise, =the password is incorrect --[/!]>> [if "[hashfromDB]"=3D"[saltedAndHashedFromDB]"]>> [then]THEY MATCH - Let the user in[/then]>> [else]THEY DON'T MATCH - Release the hounds[/else]>> [/if]>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us>=20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
WebDNA
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Associative lookup style? + bit more (1997)
Emailer on NT CAN'T handle large email files (1997)
Errata: WCS Newbie question (1997)
Can't Update records (1997)
WCS Newbie question (1997)
[WebDNA] [tcpconnect] timeout (2015)
customizing the color of user's pages (1997)
Fun with dates (1997)
[WebDNA] W3C Valid XHTML/CSS WebDNA Store templates (2009)
how to check for no value while using [URL] to prevent cr (1999)
What is WebDNA (1997)
RE: [sendmail]- bcc? (1998)
Is the list server working? (1998)
[protect admin] (1997)
Need help with emailer- 2 issues (1997)
Install Webcatalog under NT4.0 and Microsoft IIS 2.0 (1997)
Re:multiple digests, please stop (1997)
t or f (1997)
taxrate - off by 1 cent (1997)
emailer settings and control questions (1997)