I just found a small bug... meant to make the salt 32 chars long not 10, so= it should be [getchars start=3D1&end=3D32] in "danFunc_makeSalt&q=uot;. I've corrected it on my blog.
-Dan Strong
http://www.DanStrong=.com
On 10/3/2013 4:11 PM, WebDNA wrote:I hadn't even thought about it until Tom posted the question the other =day.
Thanks too to Tom for sparking the conversation.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au<=/a>
On 04/10/2013, at 9:06 AM, Dan Strong <dan@danstrong.com> wrote::-) Happy to help. Let me know if you find any bugs or have a better/smarte=r way to do it.---------------------------------------------------------
It actually wasn't that hard (and was fun) to me because I'm intere=sted in it... didn't take too long either once I wrapped my mind around= what he was saying.
-Dan Strong
http://www.DanStrong=.com
On 10/3/2013 4:03 PM, WebDNA wrote:THAT'S GREAT DAN, I will have to post you a few more ideas for you to d=o the hard work !!---------------------------------------------------------
I will use what you have done for a new site that I am developing.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au<=/a>
On 04/10/2013, at 9:00 AM, Dan Strong <dan@danstrong.com> wrote:Better formatting here, in case email chews it up:---------------------------------------------------------
http://danstrong.com/blog/secure-hashing-with-webdna/
-Dan Strong
http://www.DanStrong=.com
On 10/3/2013 3:59 PM, Dan Strong wrote:Using info from the link Stuart sent last night, I cobbled together some fu=nctions to do "proper" hashing via WebDNA. If you find any mistak=es or have questions let me know.---------------------------------------------------------
[!]----------------------------------------------------------=----------------
=C2=A0 =C2=A0 One way to do "proper" hashing using WebDNA on linu=x/unix
=C2=A0 =C2=A0 See: https://crackstation.net/hashing-s=ecurity.htm#properhashing
=C2=A0 =C2=A0 Compact [function]s first, verbose & educational script a=fter.
=C2=A0 =C2=A0 by Dan Strong - http://www.DanStrong.com
=C2=A0 =C2=A0 Free to use, no strings attached.
-------------------------------------------------------------=------------[/!]
[!]------// FUNCTIONS //----------------------------[/!]
=C2=A0 =C2=A0 [!]-- "danFunc_makeSalt" (ex: "8630d1f3=a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]&quo=t; --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [function name=3DdanFunc_makeSalt]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]longRandomSalt=3D[getchars =start=3D1&end=3D10][encrypt seed=3D[shell]echo $RANDOM[/shell]&meth=od=3Dblowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encr=ypt][/getchars][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [return][longRandomSalt][/=return]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [/function]
=C2=A0 =C2=A0 [!]-- "danFunc_saltHashPassword" (ex: "=e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169b=ce7" - usage: "[danFunc_saltHashPassword pw=3DsomePassword]"= --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [function name=3DdanFunc_saltHashPassword]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashed=3D[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [return][saltedAndHashed][/return]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [/function]
[!]------// VERBOSE & EDUCATIONAL //----------------------------=[/!]
=C2=A0 =C2=A0 [text]theUsersPassword=3Dpassword-they-provided[/text]=
=C2=A0 =C2=A0 [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD =3D==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 1) Generate a long random salt using a CS=PRNG (we're using /dev/random)--[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]longRandomSalt=3D[!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][getchars start==3D1&end=3D32][!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][=encrypt seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][!]=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2==A0 =C2=A0 [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][=/encrypt][!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][/getchars][!]<=br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the password and h=ash it with a standard cryptographic hash function such as SHA256 --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashed=3D[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][=/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Save both the salt and the hash in the= user's database record --
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [append] or [replace] to your db =as appropriate
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 salt =3D [longRando=mSalt]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 hash =3D [saltedAnd=Hashed]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 -------------[/!]
=C2=A0 =C2=A0 [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD ==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[!]-- Test comparison by swapping passwor=d variable in STEP 2 to either -SAME or -DIFF --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]theUsersPassword-SAME=3D[theUsersPassword][/text]
[text]theUsersPassword-DIFF=3D[random][random][random][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 1) Retrieve the user's salt and hash =from the database --
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [search] or [lookup] as approriat=e
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - For illustrative purposes, pret=end we actually retrieved...
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - We know these values from above=, so we'll set them up now
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-------------[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltFromDB=3D[longRa=ndomSalt][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]hashFromDB=3D[salted=AndHashed][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the given password= and hash it using the same hash function --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashedFromDB=3D[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/=shell][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Compare the hash of the given password= with the hash from the database. If they match, the password is correct. O=therwise, the password is incorrect --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [if "[hashfromDB]"=3D&q=uot;[saltedAndHashedFromDB]"]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [then]THEY MATCH - =Let the user in[/then]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [else]THEY DON'=T MATCH - Release the hounds[/else]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/if]
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
I just found a small bug... meant to make the salt 32 chars long not 10, so= it should be [getchars start=3D1&end=3D32] in "danFunc_makeSalt&q=uot;. I've corrected it on my blog.
-Dan Strong
http://www.DanStrong=.com
On 10/3/2013 4:11 PM, WebDNA wrote:I hadn't even thought about it until Tom posted the question the other =day.
Thanks too to Tom for sparking the conversation.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au<=/a>
On 04/10/2013, at 9:06 AM, Dan Strong <dan@danstrong.com> wrote::-) Happy to help. Let me know if you find any bugs or have a better/smarte=r way to do it.---------------------------------------------------------
It actually wasn't that hard (and was fun) to me because I'm intere=sted in it... didn't take too long either once I wrapped my mind around= what he was saying.
-Dan Strong
http://www.DanStrong=.com
On 10/3/2013 4:03 PM, WebDNA wrote:THAT'S GREAT DAN, I will have to post you a few more ideas for you to d=o the hard work !!---------------------------------------------------------
I will use what you have done for a new site that I am developing.
Regards
Stuart Tremain
IDFK Web Developments
AUSTRALIA
webdna@idfk.com.au<=/a>
On 04/10/2013, at 9:00 AM, Dan Strong <dan@danstrong.com> wrote:Better formatting here, in case email chews it up:---------------------------------------------------------
http://danstrong.com/blog/secure-hashing-with-webdna/
-Dan Strong
http://www.DanStrong=.com
On 10/3/2013 3:59 PM, Dan Strong wrote:Using info from the link Stuart sent last night, I cobbled together some fu=nctions to do "proper" hashing via WebDNA. If you find any mistak=es or have questions let me know.---------------------------------------------------------
[!]----------------------------------------------------------=----------------
=C2=A0 =C2=A0 One way to do "proper" hashing using WebDNA on linu=x/unix
=C2=A0 =C2=A0 See: https://crackstation.net/hashing-s=ecurity.htm#properhashing
=C2=A0 =C2=A0 Compact [function]s first, verbose & educational script a=fter.
=C2=A0 =C2=A0 by Dan Strong - http://www.DanStrong.com
=C2=A0 =C2=A0 Free to use, no strings attached.
-------------------------------------------------------------=------------[/!]
[!]------// FUNCTIONS //----------------------------[/!]
=C2=A0 =C2=A0 [!]-- "danFunc_makeSalt" (ex: "8630d1f3=a3ff0ee8f72856f5692d9ccd" - usage: "[danFunc_makeSalt]&quo=t; --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [function name=3DdanFunc_makeSalt]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]longRandomSalt=3D[getchars =start=3D1&end=3D10][encrypt seed=3D[shell]echo $RANDOM[/shell]&meth=od=3Dblowfish][shell]echo $RANDOM$RANDOM$RANDOM[/shell][/encr=ypt][/getchars][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [return][longRandomSalt][/=return]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [/function]
=C2=A0 =C2=A0 [!]-- "danFunc_saltHashPassword" (ex: "=e7fdd33de69677f0ed77f68cf54060ef9fa240204b9c40af0c75d0f80169b=ce7" - usage: "[danFunc_saltHashPassword pw=3DsomePassword]"= --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [function name=3DdanFunc_saltHashPassword]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashed=3D[shell]echo -n [danFunc_makeSalt][pw] | sha256sum[/shell][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [return][saltedAndHashed][/return]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [/function]
[!]------// VERBOSE & EDUCATIONAL //----------------------------=[/!]
=C2=A0 =C2=A0 [text]theUsersPassword=3Dpassword-they-provided[/text]=
=C2=A0 =C2=A0 [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO STORE A PASSWORD =3D==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 1) Generate a long random salt using a CS=PRNG (we're using /dev/random)--[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]longRandomSalt=3D[!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][getchars start==3D1&end=3D32][!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][=encrypt seed=3D[shell]echo $RANDOM[/shell]&method=3Dblowfish][!]=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2==A0 =C2=A0 [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][=/encrypt][!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][/getchars][!]<=br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/!][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the password and h=ash it with a standard cryptographic hash function such as SHA256 --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashed=3D[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][=/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Save both the salt and the hash in the= user's database record --
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [append] or [replace] to your db =as appropriate
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 salt =3D [longRando=mSalt]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 hash =3D [saltedAnd=Hashed]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 -------------[/!]
=C2=A0 =C2=A0 [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD ==3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[!]-- Test comparison by swapping passwor=d variable in STEP 2 to either -SAME or -DIFF --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]theUsersPassword-SAME=3D[theUsersPassword][/text]
[text]theUsersPassword-DIFF=3D[random][random][random][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 1) Retrieve the user's salt and hash =from the database --
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [search] or [lookup] as approriat=e
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - For illustrative purposes, pret=end we actually retrieved...
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - We know these values from above=, so we'll set them up now
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-------------[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltFromDB=3D[longRa=ndomSalt][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]hashFromDB=3D[salted=AndHashed][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the given password= and hash it using the same hash function --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashedFromDB=3D[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/=shell][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Compare the hash of the given password= with the hash from the database. If they match, the password is correct. O=therwise, the password is incorrect --[/!]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [if "[hashfromDB]"=3D&q=uot;[saltedAndHashedFromDB]"]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [then]THEY MATCH - =Let the user in[/then]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [else]THEY DON'=T MATCH - Release the hounds[/else]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/if]
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
---------------------------------------------------------
This message is sent to you because you are subscribed to
the mailing list <ta=lk@webdna.us>.
To unsubscribe, E-mail to: <talk-leave@webdna.us>
archives: http://mail.webdna.us/list/talk@webdna.us
Bug Reporting: suppo=rt@webdna.us
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...