numero = 110792
interpreted = N
texte = --047d7b6d9e1c5caa7604e7df1ca6 Content-Type: text/plain; charset=UTF-8 Dan, Pretty impressive stuff - those functions are great. Is there a reason you decided to use SHA-256 rather than SHA-512? Also on my platform anyway - WebDNA 6.2 on CentOS - I found that there is a stray carriage return when generating a hash using [shell]. So I use the following (the table allows pretty much any character to be used in a password): [table name=prepHash&fields=from,to] $ \$ \ \\ ` \` " \" [/table] [getchars start=1&trim=both][shell]echo -n "[convertwords table=prepHash][the-salt][the-password][/convertwords]" | openssl dgst -sha512[/shell][/getchars] - Tom ============================================== Digital Revolutionaries 1st Floor, Castleriver House 14-15 Parliament Street Temple Bar,Dublin 2 Ireland ---------------------------------------------- [t]: + 353 1 4403907 [e]: [w]: ============================================== On 4 October 2013 00:13, Dan Strong wrote: > I just found a small bug... meant to make the salt 32 chars long not 10, > so it should be [getchars start=1&end=32] in "danFunc_makeSalt". I've > corrected it on my blog. > > -Dan Strong > http://www.DanStrong.com > > > On 10/3/2013 4:11 PM, WebDNA wrote: > >> I hadn't even thought about it until Tom posted the question the other >> day. >> >> Thanks too to Tom for sparking the conversation. >> >> Regards >> >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >> >> >> >> >> On 04/10/2013, at 9:06 AM, Dan Strong wrote: >> >> :-) Happy to help. Let me know if you find any bugs or have a >>> better/smarter way to do it. >>> >>> It actually wasn't that hard (and was fun) to me because I'm interested >>> in it... didn't take too long either once I wrapped my mind around what he >>> was saying. >>> >>> -Dan Strong >>> http://www.DanStrong.com >>> >>> On 10/3/2013 4:03 PM, WebDNA wrote: >>> >>>> THAT'S GREAT DAN, I will have to post you a few more ideas for you to >>>> do the hard work !! >>>> >>>> I will use what you have done for a new site that I am developing. >>>> >>>> Regards >>>> >>>> Stuart Tremain >>>> IDFK Web Developments >>>> AUSTRALIA >>>> webdna@idfk.com.au >>>> >>>> >>>> >>>> >>>> On 04/10/2013, at 9:00 AM, Dan Strong wrote: >>>> >>>> Better formatting here, in case email chews it up: >>>>> http://danstrong.com/blog/**secure-hashing-with-webdna/ >>>>> >>>>> -Dan Strong >>>>> http://www.DanStrong.com >>>>> >>>>> On 10/3/2013 3:59 PM, Dan Strong wrote: >>>>> >>>>>> Using info from the link Stuart sent last night, I cobbled together >>>>>> some functions to do "proper" hashing via WebDNA. If you find any mistakes >>>>>> or have questions let me know. >>>>>> >>>>>> [!]---------------------------**------------------------------** >>>>>> ----------------- >>>>>> One way to do "proper" hashing using WebDNA on linux/unix >>>>>> See: https://crackstation.net/**hashing-security.htm#** >>>>>> properhashing >>>>>> >>>>>> Compact [function]s first, verbose & educational script after. >>>>>> by Dan Strong - http://www.DanStrong.com >>>>>> Free to use, no strings attached. >>>>>> ------------------------------**------------------------------** >>>>>> -------------[/!] >>>>>> >>>>>> [!]------// FUNCTIONS //----------------------------**[/!] >>>>>> [!]-- "danFunc_makeSalt" (ex: "**8630d1f3a3ff0ee8f72856f5692d9c**cd" >>>>>> - usage: "[danFunc_makeSalt]" --[/!] >>>>>> [function name=danFunc_makeSalt] >>>>>> [text]longRandomSalt=[getchars start=1&end=10][encrypt >>>>>> seed=[shell]echo $RANDOM[/shell]&method=**blowfish][shell]echo >>>>>> $RANDOM$RANDOM$RANDOM[/shell][**/encrypt][/getchars][/text] >>>>>> [return][longRandomSalt][/**return] >>>>>> [/function] >>>>>> >>>>>> [!]-- "danFunc_saltHashPassword" (ex: "** >>>>>> e7fdd33de69677f0ed77f68cf54060**ef9fa240204b9c40af0c75d0f80169**bce7" >>>>>> - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] >>>>>> [function name=danFunc_saltHashPassword] >>>>>> [text]saltedAndHashed=[shell]**echo -n >>>>>> [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>>>>> [return][saltedAndHashed][/**return] >>>>>> [/function] >>>>>> >>>>>> >>>>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------** >>>>>> [/!] >>>>>> [text]theUsersPassword=**password-they-provided[/text] >>>>>> >>>>>> [!]=========== TO STORE A PASSWORD ===============[/!] >>>>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're >>>>>> using /dev/random)--[/!] >>>>>> [text]longRandomSalt=[!] >>>>>> [/!][getchars start=1&end=32][!] >>>>>> [/!][encrypt seed=[shell]echo >>>>>> $RANDOM[/shell]&method=**blowfish][!] >>>>>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][ >>>>>> **!] >>>>>> [/!][/encrypt][!] >>>>>> [/!][/getchars][!] >>>>>> [/!][/text] >>>>>> >>>>>> [!]-- 2) Prepend the salt to the password and hash it with a >>>>>> standard cryptographic hash function such as SHA256 --[/!] >>>>>> [text]saltedAndHashed=[shell]**echo -n [longRandomSalt][* >>>>>> *theUsersPassword] | sha256sum[/shell][/text] >>>>>> >>>>>> [!]-- 3) Save both the salt and the hash in the user's >>>>>> database record -- >>>>>> [append] or [replace] to your db as appropriate >>>>>> salt = [longRandomSalt] >>>>>> hash = [saltedAndHashed] >>>>>> -------------[/!] >>>>>> >>>>>> [!]=========== TO VALIDATE A PASSWORD ===============[/!] >>>>>> [!]-- Test comparison by swapping password variable in STEP >>>>>> 2 to either -SAME or -DIFF --[/!] >>>>>> [text]theUsersPassword-SAME=[**theUsersPassword][/text] >>>>>> [text]theUsersPassword-DIFF=[**random][random][random][/text] >>>>>> >>>>>> [!]-- 1) Retrieve the user's salt and hash from the database >>>>>> -- >>>>>> [search] or [lookup] as approriate >>>>>> - For illustrative purposes, pretend we actually >>>>>> retrieved... >>>>>> - We know these values from above, so we'll set them up >>>>>> now >>>>>> -------------[/!] >>>>>> [text]saltFromDB=[**longRandomSalt][/text] >>>>>> [text]hashFromDB=[**saltedAndHashed][/text] >>>>>> >>>>>> [!]-- 2) Prepend the salt to the given password and hash it >>>>>> using the same hash function --[/!] >>>>>> [text]saltedAndHashedFromDB=[**shell]echo -n >>>>>> [saltFromDB][theUsersPassword-**DIFF] | sha256sum[/shell][/text] >>>>>> >>>>>> [!]-- 3) Compare the hash of the given password with the hash >>>>>> from the database. If they match, the password is correct. Otherwise, the >>>>>> password is incorrect --[/!] >>>>>> [if "[hashfromDB]"="[**saltedAndHashedFromDB]"] >>>>>> [then]THEY MATCH - Let the user in[/then] >>>>>> [else]THEY DON'T MATCH - Release the hounds[/else] >>>>>> [/if] >>>>>> ------------------------------**--------------------------- >>>>>> This message is sent to you because you are subscribed to >>>>>> the mailing list . >>>>>> To unsubscribe, E-mail to: >>>>>> archives: http://mail.webdna.us/list/**talk@webdna.us >>>>>> Bug Reporting: support@webdna.us >>>>>> >>>>> ------------------------------**--------------------------- >>>>> This message is sent to you because you are subscribed to >>>>> the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> archives: http://mail.webdna.us/list/**talk@webdna.us >>>>> Bug Reporting: support@webdna.us >>>>> >>>> ------------------------------**--------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/**talk@webdna.us >>>> Bug Reporting: support@webdna.us >>>> >>> ------------------------------**--------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/**talk@webdna.us >>> Bug Reporting: support@webdna.us >>> >> ------------------------------**--------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/**talk@webdna.us >> Bug Reporting: support@webdna.us >> > > ------------------------------**--------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/**talk@webdna.us > Bug Reporting: support@webdna.us > --047d7b6d9e1c5caa7604e7df1ca6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Dan,
Pretty impressive stuff - those fu= nctions are great. =C2=A0=C2=A0
Is there a reason = you decided to use SHA-256 rather than SHA-512? =C2=A0 Also on my platform = anyway - WebDNA 6.2 on CentOS - I found that there is a stray carriage retu= rn when generating a hash using [shell]. =C2=A0 So I use the following (the= table allows pretty much any character to be used in a password):
I just found a small bug... meant to make the salt 32 chars long not 10, so= it should be [getchars start=3D1&end=3D32] in "danFunc_makeSalt&q= uot;. I've corrected it on my blog.
:-) Happy to help. Let me know if you find any bugs or have a better/smarte= r way to do it.
It actually wasn't that hard (and was fun) to me because I'm intere= sted in it... didn't take too long either once I wrapped my mind around= what he was saying.
Using info from the link Stuart sent last night, I cobbled together some fu= nctions to do "proper" hashing via WebDNA. If you find any mistak= es or have questions let me know.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the password and h= ash it with a standard cryptographic hash function such as SHA256 --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashed=3D[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][= /text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Save both the salt and the hash in the= user's database record -- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [append] or [replace] to your db = as appropriate =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 salt =3D [longRando= mSalt] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 hash =3D [saltedAnd= Hashed] =C2=A0 =C2=A0 =C2=A0 =C2=A0 -------------[/!]
=C2=A0 =C2=A0 [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[!]-- Test comparison by swapping passwor= d variable in STEP 2 to either -SAME or -DIFF --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]theUsersPassword-SAME=3D[theUsersPassword][/text] [text]theUsersPassword-DIFF=3D[random][random][random][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 1) Retrieve the user's salt and hash = from the database -- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [search] or [lookup] as approriat= e =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - For illustrative purposes, pret= end we actually retrieved... =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - We know these values from above= , so we'll set them up now =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-------------[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltFromDB=3D[longRa= ndomSalt][/text] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]hashFromDB=3D[salted= AndHashed][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the given password= and hash it using the same hash function --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashedFromDB=3D[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/= shell][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Compare the hash of the given password= with the hash from the database. If they match, the password is correct. O= therwise, the password is incorrect --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [if "[hashfromDB]"=3D&q= uot;[saltedAndHashedFromDB]"] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [then]THEY MATCH - = Let the user in[/then] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [else]THEY DON'= T MATCH - Release the hounds[/else] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/if] --------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list <ta= lk@webdna.us>. To unsubscribe, E-mail to: <talk-leave@webdna.us> archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us
--047d7b6d9e1c5caa7604e7df1ca6 Content-Type: text/plain; charset=UTF-8 Dan, Pretty impressive stuff - those functions are great. Is there a reason you decided to use SHA-256 rather than SHA-512? Also on my platform anyway - WebDNA 6.2 on CentOS - I found that there is a stray carriage return when generating a hash using [shell]. So I use the following (the table allows pretty much any character to be used in a password): [table name=prepHash&fields=from,to] $ \$ \ \\ ` \` " \" [/table] [getchars start=1&trim=both][shell]echo -n "[convertwords table=prepHash][the-salt][the-password][/convertwords]" | openssl dgst -sha512[/shell][/getchars] - Tom ============================================== Digital Revolutionaries 1st Floor, Castleriver House 14-15 Parliament Street Temple Bar,Dublin 2 Ireland ---------------------------------------------- [t]: + 353 1 4403907 [e]: [w]: ============================================== On 4 October 2013 00:13, Dan Strong wrote: > I just found a small bug... meant to make the salt 32 chars long not 10, > so it should be [getchars start=1&end=32] in "danFunc_makeSalt". I've > corrected it on my blog. > > -Dan Strong > http://www.DanStrong.com > > > On 10/3/2013 4:11 PM, WebDNA wrote: > >> I hadn't even thought about it until Tom posted the question the other >> day. >> >> Thanks too to Tom for sparking the conversation. >> >> Regards >> >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >> >> >> >> >> On 04/10/2013, at 9:06 AM, Dan Strong wrote: >> >> :-) Happy to help. Let me know if you find any bugs or have a >>> better/smarter way to do it. >>> >>> It actually wasn't that hard (and was fun) to me because I'm interested >>> in it... didn't take too long either once I wrapped my mind around what he >>> was saying. >>> >>> -Dan Strong >>> http://www.DanStrong.com >>> >>> On 10/3/2013 4:03 PM, WebDNA wrote: >>> >>>> THAT'S GREAT DAN, I will have to post you a few more ideas for you to >>>> do the hard work !! >>>> >>>> I will use what you have done for a new site that I am developing. >>>> >>>> Regards >>>> >>>> Stuart Tremain >>>> IDFK Web Developments >>>> AUSTRALIA >>>> webdna@idfk.com.au >>>> >>>> >>>> >>>> >>>> On 04/10/2013, at 9:00 AM, Dan Strong wrote: >>>> >>>> Better formatting here, in case email chews it up: >>>>> http://danstrong.com/blog/**secure-hashing-with-webdna/ >>>>> >>>>> -Dan Strong >>>>> http://www.DanStrong.com >>>>> >>>>> On 10/3/2013 3:59 PM, Dan Strong wrote: >>>>> >>>>>> Using info from the link Stuart sent last night, I cobbled together >>>>>> some functions to do "proper" hashing via WebDNA. If you find any mistakes >>>>>> or have questions let me know. >>>>>> >>>>>> [!]---------------------------**------------------------------** >>>>>> ----------------- >>>>>> One way to do "proper" hashing using WebDNA on linux/unix >>>>>> See: https://crackstation.net/**hashing-security.htm#** >>>>>> properhashing >>>>>> >>>>>> Compact [function]s first, verbose & educational script after. >>>>>> by Dan Strong - http://www.DanStrong.com >>>>>> Free to use, no strings attached. >>>>>> ------------------------------**------------------------------** >>>>>> -------------[/!] >>>>>> >>>>>> [!]------// FUNCTIONS //----------------------------**[/!] >>>>>> [!]-- "danFunc_makeSalt" (ex: "**8630d1f3a3ff0ee8f72856f5692d9c**cd" >>>>>> - usage: "[danFunc_makeSalt]" --[/!] >>>>>> [function name=danFunc_makeSalt] >>>>>> [text]longRandomSalt=[getchars start=1&end=10][encrypt >>>>>> seed=[shell]echo $RANDOM[/shell]&method=**blowfish][shell]echo >>>>>> $RANDOM$RANDOM$RANDOM[/shell][**/encrypt][/getchars][/text] >>>>>> [return][longRandomSalt][/**return] >>>>>> [/function] >>>>>> >>>>>> [!]-- "danFunc_saltHashPassword" (ex: "** >>>>>> e7fdd33de69677f0ed77f68cf54060**ef9fa240204b9c40af0c75d0f80169**bce7" >>>>>> - usage: "[danFunc_saltHashPassword pw=somePassword]" --[/!] >>>>>> [function name=danFunc_saltHashPassword] >>>>>> [text]saltedAndHashed=[shell]**echo -n >>>>>> [danFunc_makeSalt][pw] | sha256sum[/shell][/text] >>>>>> [return][saltedAndHashed][/**return] >>>>>> [/function] >>>>>> >>>>>> >>>>>> [!]------// VERBOSE & EDUCATIONAL //----------------------------** >>>>>> [/!] >>>>>> [text]theUsersPassword=**password-they-provided[/text] >>>>>> >>>>>> [!]=========== TO STORE A PASSWORD ===============[/!] >>>>>> [!]-- 1) Generate a long random salt using a CSPRNG (we're >>>>>> using /dev/random)--[/!] >>>>>> [text]longRandomSalt=[!] >>>>>> [/!][getchars start=1&end=32][!] >>>>>> [/!][encrypt seed=[shell]echo >>>>>> $RANDOM[/shell]&method=**blowfish][!] >>>>>> [/!][shell]echo $RANDOM$RANDOM$RANDOM[/shell][ >>>>>> **!] >>>>>> [/!][/encrypt][!] >>>>>> [/!][/getchars][!] >>>>>> [/!][/text] >>>>>> >>>>>> [!]-- 2) Prepend the salt to the password and hash it with a >>>>>> standard cryptographic hash function such as SHA256 --[/!] >>>>>> [text]saltedAndHashed=[shell]**echo -n [longRandomSalt][* >>>>>> *theUsersPassword] | sha256sum[/shell][/text] >>>>>> >>>>>> [!]-- 3) Save both the salt and the hash in the user's >>>>>> database record -- >>>>>> [append] or [replace] to your db as appropriate >>>>>> salt = [longRandomSalt] >>>>>> hash = [saltedAndHashed] >>>>>> -------------[/!] >>>>>> >>>>>> [!]=========== TO VALIDATE A PASSWORD ===============[/!] >>>>>> [!]-- Test comparison by swapping password variable in STEP >>>>>> 2 to either -SAME or -DIFF --[/!] >>>>>> [text]theUsersPassword-SAME=[**theUsersPassword][/text] >>>>>> [text]theUsersPassword-DIFF=[**random][random][random][/text] >>>>>> >>>>>> [!]-- 1) Retrieve the user's salt and hash from the database >>>>>> -- >>>>>> [search] or [lookup] as approriate >>>>>> - For illustrative purposes, pretend we actually >>>>>> retrieved... >>>>>> - We know these values from above, so we'll set them up >>>>>> now >>>>>> -------------[/!] >>>>>> [text]saltFromDB=[**longRandomSalt][/text] >>>>>> [text]hashFromDB=[**saltedAndHashed][/text] >>>>>> >>>>>> [!]-- 2) Prepend the salt to the given password and hash it >>>>>> using the same hash function --[/!] >>>>>> [text]saltedAndHashedFromDB=[**shell]echo -n >>>>>> [saltFromDB][theUsersPassword-**DIFF] | sha256sum[/shell][/text] >>>>>> >>>>>> [!]-- 3) Compare the hash of the given password with the hash >>>>>> from the database. If they match, the password is correct. Otherwise, the >>>>>> password is incorrect --[/!] >>>>>> [if "[hashfromDB]"="[**saltedAndHashedFromDB]"] >>>>>> [then]THEY MATCH - Let the user in[/then] >>>>>> [else]THEY DON'T MATCH - Release the hounds[/else] >>>>>> [/if] >>>>>> ------------------------------**--------------------------- >>>>>> This message is sent to you because you are subscribed to >>>>>> the mailing list . >>>>>> To unsubscribe, E-mail to: >>>>>> archives: http://mail.webdna.us/list/**talk@webdna.us >>>>>> Bug Reporting: support@webdna.us >>>>>> >>>>> ------------------------------**--------------------------- >>>>> This message is sent to you because you are subscribed to >>>>> the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> archives: http://mail.webdna.us/list/**talk@webdna.us >>>>> Bug Reporting: support@webdna.us >>>>> >>>> ------------------------------**--------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> archives: http://mail.webdna.us/list/**talk@webdna.us >>>> Bug Reporting: support@webdna.us >>>> >>> ------------------------------**--------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/**talk@webdna.us >>> Bug Reporting: support@webdna.us >>> >> ------------------------------**--------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/**talk@webdna.us >> Bug Reporting: support@webdna.us >> > > ------------------------------**--------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/**talk@webdna.us > Bug Reporting: support@webdna.us > --047d7b6d9e1c5caa7604e7df1ca6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Dan,
Pretty impressive stuff - those fu= nctions are great. =C2=A0=C2=A0
Is there a reason = you decided to use SHA-256 rather than SHA-512? =C2=A0 Also on my platform = anyway - WebDNA 6.2 on CentOS - I found that there is a stray carriage retu= rn when generating a hash using [shell]. =C2=A0 So I use the following (the= table allows pretty much any character to be used in a password):
I just found a small bug... meant to make the salt 32 chars long not 10, so= it should be [getchars start=3D1&end=3D32] in "danFunc_makeSalt&q= uot;. I've corrected it on my blog.
:-) Happy to help. Let me know if you find any bugs or have a better/smarte= r way to do it.
It actually wasn't that hard (and was fun) to me because I'm intere= sted in it... didn't take too long either once I wrapped my mind around= what he was saying.
Using info from the link Stuart sent last night, I cobbled together some fu= nctions to do "proper" hashing via WebDNA. If you find any mistak= es or have questions let me know.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the password and h= ash it with a standard cryptographic hash function such as SHA256 --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashed=3D[shell]echo -n [longRandomSalt][theUsersPassword] | sha256sum[/shell][= /text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Save both the salt and the hash in the= user's database record -- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [append] or [replace] to your db = as appropriate =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 salt =3D [longRando= mSalt] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 hash =3D [saltedAnd= Hashed] =C2=A0 =C2=A0 =C2=A0 =C2=A0 -------------[/!]
=C2=A0 =C2=A0 [!]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D TO VALIDATE A PASSWORD = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[!]-- Test comparison by swapping passwor= d variable in STEP 2 to either -SAME or -DIFF --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]theUsersPassword-SAME=3D[theUsersPassword][/text] [text]theUsersPassword-DIFF=3D[random][random][random][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 1) Retrieve the user's salt and hash = from the database -- =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [search] or [lookup] as approriat= e =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - For illustrative purposes, pret= end we actually retrieved... =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 - We know these values from above= , so we'll set them up now =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-------------[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltFromDB=3D[longRa= ndomSalt][/text] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]hashFromDB=3D[salted= AndHashed][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 2) Prepend the salt to the given password= and hash it using the same hash function --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [text]saltedAndHashedFromDB=3D[shell]echo -n [saltFromDB][theUsersPassword-DIFF] | sha256sum[/= shell][/text]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 [!]-- 3) Compare the hash of the given password= with the hash from the database. If they match, the password is correct. O= therwise, the password is incorrect --[/!] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [if "[hashfromDB]"=3D&q= uot;[saltedAndHashedFromDB]"] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [then]THEY MATCH - = Let the user in[/then] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [else]THEY DON'= T MATCH - Release the hounds[/else] =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [/if] --------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list <ta= lk@webdna.us>. To unsubscribe, E-mail to: <talk-leave@webdna.us> archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...