Re: [WebDNA] Best practice re: password storage

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110791
interpreted = N
texte = I just found a small bug... meant to make the salt 32 chars long not 10, so it should be [getchars start=1&end=32] in "danFunc_makeSalt". I've corrected it on my blog. -Dan Strong http://www.DanStrong.com On 10/3/2013 4:11 PM, WebDNA wrote: > I hadn't even thought about it until Tom posted the question the other day. > > Thanks too to Tom for sparking the conversation. > > Regards > > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au > > > > > On 04/10/2013, at 9:06 AM, Dan Strong wrote: > >> :-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it. >> >> It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying. >> >> -Dan Strong >> http://www.DanStrong.com >> >> On 10/3/2013 4:03 PM, WebDNA wrote: >>> THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !! >>> >>> I will use what you have done for a new site that I am developing. >>> >>> Regards >>> >>> Stuart Tremain >>> IDFK Web Developments >>> AUSTRALIA >>> webdna@idfk.com.au >>> >>> >>> >>> >>> On 04/10/2013, at 9:00 AM, Dan Strong wrote: >>> >>>> Better formatting here, in case email chews it up: >>>> http://danstrong.com/blog/secure-hashing-with-webdna/ >>>> >>>> -Dan Strong >>>> http://www.DanStrong.com >>>> >>>> On 10/3/2013 3:59 PM, Dan Strong wrote: >>>>> Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know. >>>>> >>>>> [!]-------------------------------------------------------------------------- >>>>> One way to do "proper" hashing using WebDNA on linux/unix >>>>> See: https://crackstation.net/hashing-security.htm#properhashing >>>>> >>>>> Compact [function]s first, verbose & educational script after. >>>>> by Dan Strong - http://www.DanStrong.com >>>>> Free to use, no strings attached. >>>>> -------------------------------------------------------------------------[/!] >>>>> >>>>> [!]------// FUNCTIONS //----------------------------[/!] >>>>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!] >>>>> [function name=danFunc_makeSalt] >>>>> [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >>>>> [return][longRandomSalt][/return] >>>>> [/function] >>>>> >>>>> [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] >>>>> [function name=danFunc_saltHashPassword] >>>>> [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>>>> [return][saltedAndHashed][/return] >>>>> [/function] >>>>> >>>>> >>>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >>>>> [text]theUsersPassword=password-they-provided[/text] >>>>> >>>>> [!]=========== TO STORE A PASSWORD ===============[/!] >>>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!] >>>>> [text]longRandomSalt=[!] >>>>> [/!][getchars start=1&end=32][!] >>>>> [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!] >>>>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] >>>>> [/!][/encrypt][!] >>>>> [/!][/getchars][!] >>>>> [/!][/text] >>>>> >>>>> [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!] >>>>> [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>>>> >>>>> [!]-- 3) Save both the salt and the hash in the user's database record -- >>>>> [append] or [replace] to your db as appropriate >>>>> salt = [longRandomSalt] >>>>> hash = [saltedAndHashed] >>>>> -------------[/!] >>>>> >>>>> [!]=========== TO VALIDATE A PASSWORD ===============[/!] >>>>> [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!] >>>>> [text]theUsersPassword-SAME=[theUsersPassword][/text] >>>>> [text]theUsersPassword-DIFF=[random][random][random][/text] >>>>> >>>>> [!]-- 1) Retrieve the user's salt and hash from the database -- >>>>> [search] or [lookup] as approriate >>>>> - For illustrative purposes, pretend we actually retrieved... >>>>> - We know these values from above, so we'll set them up now >>>>> -------------[/!] >>>>> [text]saltFromDB=[longRandomSalt][/text] >>>>> [text]hashFromDB=[saltedAndHashed][/text] >>>>> >>>>> [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!] >>>>> [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>>>> >>>>> [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!] >>>>> [if "[hashfromDB]"="[saltedAndHashedFromDB]"] >>>>> [then]THEY MATCH - Let the user in[/then] >>>>> [else]THEY DON'T MATCH - Release the hounds[/else] >>>>> [/if] >>>>> --------------------------------------------------------- >>>>> This message is sent to you because you are subscribed to >>>>> the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>>> Bug Reporting: support@webdna.us >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  2. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  3. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  4. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  5. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  6. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  7. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  8. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  9. Re: [WebDNA] Best practice re: password storage (WebDNA 2013)
  10. Re: [WebDNA] Best practice re: password storage (Bill DeVaul 2013)
  11. Re: [WebDNA] Best practice re: password storage (Donovan Brooke 2013)
  12. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  13. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  14. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  15. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  16. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  17. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  18. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  19. Re: [WebDNA] Best practice re: password storage (Tom Duke 2013)
  20. Re: [WebDNA] Best practice re: password storage (Dan Strong 2013)
  21. Re: [WebDNA] Best practice re: password storage (Stuart Tremain 2013)
  22. [WebDNA] Best practice re: password storage (Tom Duke 2013)
I just found a small bug... meant to make the salt 32 chars long not 10, so it should be [getchars start=1&end=32] in "danFunc_makeSalt". I've corrected it on my blog. -Dan Strong http://www.DanStrong.com On 10/3/2013 4:11 PM, WebDNA wrote: > I hadn't even thought about it until Tom posted the question the other day. > > Thanks too to Tom for sparking the conversation. > > Regards > > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au > > > > > On 04/10/2013, at 9:06 AM, Dan Strong wrote: > >> :-) Happy to help. Let me know if you find any bugs or have a better/smarter way to do it. >> >> It actually wasn't that hard (and was fun) to me because I'm interested in it... didn't take too long either once I wrapped my mind around what he was saying. >> >> -Dan Strong >> http://www.DanStrong.com >> >> On 10/3/2013 4:03 PM, WebDNA wrote: >>> THAT'S GREAT DAN, I will have to post you a few more ideas for you to do the hard work !! >>> >>> I will use what you have done for a new site that I am developing. >>> >>> Regards >>> >>> Stuart Tremain >>> IDFK Web Developments >>> AUSTRALIA >>> webdna@idfk.com.au >>> >>> >>> >>> >>> On 04/10/2013, at 9:00 AM, Dan Strong wrote: >>> >>>> Better formatting here, in case email chews it up: >>>> http://danstrong.com/blog/secure-hashing-with-webdna/ >>>> >>>> -Dan Strong >>>> http://www.DanStrong.com >>>> >>>> On 10/3/2013 3:59 PM, Dan Strong wrote: >>>>> Using info from the link Stuart sent last night, I cobbled together some functions to do "proper" hashing via WebDNA. If you find any mistakes or have questions let me know. >>>>> >>>>> [!]-------------------------------------------------------------------------- >>>>> One way to do "proper" hashing using WebDNA on linux/unix >>>>> See: https://crackstation.net/hashing-security.htm#properhashing >>>>> >>>>> Compact [function]s first, verbose & educational script after. >>>>> by Dan Strong - http://www.DanStrong.com >>>>> Free to use, no strings attached. >>>>> -------------------------------------------------------------------------[/!] >>>>> >>>>> [!]------// FUNCTIONS //----------------------------[/!] >>>>> [!]-- "danFunc_makeSalt" (ex: "8630d1f3a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]" --[/!] >>>>> [function name=danFunc_makeSalt] >>>>> [text]longRandomSalt=[getchars start=1&end=10][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encrypt][/getchars][/text] >>>>> [return][longRandomSalt][/return] >>>>> [/function] >>>>> >>>>> [!]-- "danFunc_saltHashPassword" (ex: "e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169bce7" - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] >>>>> [function name=danFunc_saltHashPassword] >>>>> [text]saltedAndHashed=[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>>>> [return][saltedAndHashed][/return] >>>>> [/function] >>>>> >>>>> >>>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------[/!] >>>>> [text]theUsersPassword=password-they-provided[/text] >>>>> >>>>> [!]=========== TO STORE A PASSWORD ===============[/!] >>>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're using /dev/random)--[/!] >>>>> [text]longRandomSalt=[!] >>>>> [/!][getchars start=1&end=32][!] >>>>> [/!][encrypt seed=[shell]echo $RANDOM[/shell]&method=blowfish][!] >>>>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!] >>>>> [/!][/encrypt][!] >>>>> [/!][/getchars][!] >>>>> [/!][/text] >>>>> >>>>> [!]-- 2) Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 --[/!] >>>>> [text]saltedAndHashed=[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][/text] >>>>> >>>>> [!]-- 3) Save both the salt and the hash in the user's database record -- >>>>> [append] or [replace] to your db as appropriate >>>>> salt = [longRandomSalt] >>>>> hash = [saltedAndHashed] >>>>> -------------[/!] >>>>> >>>>> [!]=========== TO VALIDATE A PASSWORD ===============[/!] >>>>> [!]-- Test comparison by swapping password variable in STEP 2 to either -SAME or -DIFF --[/!] >>>>> [text]theUsersPassword-SAME=[theUsersPassword][/text] >>>>> [text]theUsersPassword-DIFF=[random][random][random][/text] >>>>> >>>>> [!]-- 1) Retrieve the user's salt and hash from the database -- >>>>> [search] or [lookup] as approriate >>>>> - For illustrative purposes, pretend we actually retrieved... >>>>> - We know these values from above, so we'll set them up now >>>>> -------------[/!] >>>>> [text]saltFromDB=[longRandomSalt][/text] >>>>> [text]hashFromDB=[saltedAndHashed][/text] >>>>> >>>>> [!]-- 2) Prepend the salt to the given password and hash it using the same hash function --[/!] >>>>> [text]saltedAndHashedFromDB=[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/shell][/text] >>>>> >>>>> [!]-- 3) Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect --[/!] >>>>> [if "[hashfromDB]"="[saltedAndHashedFromDB]"] >>>>> [then]THEY MATCH - Let the user in[/then] >>>>> [else]THEY DON'T MATCH - Release the hounds[/else] >>>>> [/if] >>>>> --------------------------------------------------------- >>>>> This message is sent to you because you are subscribed to >>>>> the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>>> Bug Reporting: support@webdna.us >>>> --------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/talk@webdna.us >>>> Bug Reporting: support@webdna.us >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Dan Strong

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Closing Databases (1998) WebCat2: multiple currency support (1997) WebMerchant 3.0 for Mac shipping now (1998) Emailer Set Up (1997) linetiems in thankyou.tpl (1997) Date Formats (1997) Separate SSL Server (1997) [WebDNA] Count Lines (2011) [WebDNA] macOS 10.13.3 and WebDNA Mac Server 8.5.1 - hick-up (2019) Plugin or CGI or both (1997) WebCat2b15MacPlugin - [protect] (1997) Switching from merge to tab delimited..(v 2.x) (2000) [/application] error? (1997) NT or Mac (1997) Protect (1997) Weird NT mail (1998) retain raw [cart] submitted value (2004) [WebDNA] Emailer with TLS & Authentication (2020) Help! WebCat2 bug (1997) Examples Link? (2000)