Re: [WebDNA] Searching for encrypted values

This WebDNA talk-list message is from

2014


It keeps the original formatting.
numero = 111244
interpreted = N
texte = CAUTION: LONGWINDED ANSWER COMING UP=85 first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE = DECRYPTED. Given enough time, someone may steal your users database, and as = unlikely as this is, your webdna code, figure out how to run the code, = and decrypt the database. Ok, that's a stretch, but it's better to learn = how to do things the right way from the beginning. =20 So as I've said, you don't want to store a password in a way it can be = decrypted. So now what? The answer is a hash. This is like feeding a cow = into a giant grinder and getting out sausage. The same cow, will always = make the same sausage, AND (in theory) no two different cows will ever = make the same sausage, AND you can't shove the sausage backwards thru = the machine and get a functional cow again. WebDNA has one built in hash function, the MD5 algorithm, and it's weak, = but we can work around that.=20 The reason MD5 is weak is it's easy to brute force every combination = starting at a,b,c,d...aa,ab,ac...aaa,aab,aac=85. With a 6 character = password, a $10,000 computer can try every possible combination in 1 day = 5 hours 22 seconds (or so I hear=85) Also, to speed things along, = hackers first try every other password ever recovered previously in a = "low hanging fruit" attempt, and then try every word in the dictionary, = and proper nouns. (including prepending and appending 2-4 digit numbers = and substituting numbers for vowels (yeah, you're so original, aren't = you.)) Where was I, oh, so we need to use MD5, but make it more secure. One way = is to add a little extra text, to increase the length of the password = your user enters, this is called "salting" the password. Before you = first compute the encrypted password for the first time, you generate a = salt variable filling it with some random numbers or characters, and = then append or prepend that to the password to be hashed. Save the hash = and the salt in the users database. When you decrypt it, simply take the = users entered password, retrieve the salt, add it to the password, and = hash it and see if the values match.=20 Example: to store the password the first time: = [text]salt=3D[random][random][random][random][random][random][random][rand= om][random][random][random][/text] [text show=3Df]passhash=3D[encrypt = method=3DAPOP][_password1][salt][/encrypt][/text] [append db=3Dmyusers.db blah = blah]username=3D[_username]&password=3D[passhash]&salt=3D[salt][/append] to compare it [search db=3Dmyusers.db&eqUSERNAMEdata=3D[_username]] [founditems] [!]only happens if the user name exists=85[/!] [text]storedpw=3D[password][/text] [text]storedsalt=3D[salt][/text] [/founditems] [/search] [text show=3Df]temppasshash=3D[encrypt = method=3DAPOP][_password][storedsalt][/encrypt][/text] [showif [storedpw]=3D[temppasshash]] do something [/showif] I don't like storing salt in the database. It's just there, waiting to = be stolen right with the password. I suppose you could encrypt the salt, = but then you have to decrypt it too. What I do now (although this is = going to change since i just thought of something better) is have some = static and very long text hidden in the code that does the passwords = (not in the database.) This is not the text I use, but you get the = point... [text]before=3D'Twas brillig, and the slithy toves Did gyre and gimble in the wabe; All mimsy were the borogoves, And the mome raths outgrabe. "Beware the Jabberwock, my son! The jaws that bite, the claws that catch! Beware the Jubjub bird, and shun The frumious Bandersnatch!"[/text] [text]after=3DHe took his vorpal sword in hand: Long time the manxome foe he sought=97 So rested he by the Tumtum tree, And stood awhile in thought. And as in uffish thought he stood, The Jabberwock, with eyes of flame, Came whiffling through the tulgey wood, And burbled as it came![/text] [text show=3Df]_MyEPass=3D[encrypt = method=3DAPOP][before][_password][after][/encrypt][/text] [search = db=3Dmyusers.db&eqMYUSERNAMEdatarq=3D[url][_username][/url]&eqMYEPASSdatar= q=3D[_MyEPass]&LOGINdatarq=3DT] [if "[numfound]"=3D"1"] [then][!]----- one match-----[/!] [!][/!] [/then] [else][!]----- no match-----[/!] [redirect url=3Dhttp://www.goaway.com] [/else] [/if] [/search] three future improvements: (i'll leave these as an exercise for you, = dear reader) a) multiple rounds of hashes, feed the results of one hash right back = into the process and do it again. (I'm led to believe some of the = banking industry uses MD5, but goes thru 8000 iterations of hashing. = Probably why it takes 30 seconds to log onto my bank's slow website.) b) here's a fun one: keep some long block of text, but add a stored = salt. all the salt indicates are the offset from the beginning,middle = and end of the text where to truncate the text and where to put the = password. if anyone steals the users database, they will think the salt = is literal and try pre and appending it. c) use WebDNAs ability to encrypt a template to hide the code you come = up with that does your password magic.=20 Thoughts, questions, suggestions? Brian B. Burton On Mar 19, 2014, at 8:02 PM, Stuart Tremain wrote: > Correction: >=20 > [FoundItems] > [ShowIf [_passwd]=3D[Decrypt = seed=3D1234][UnURL][DB_PASSWD][/UnURL][/Decrypt]] > DATA FROM DB > [/ShowIf] > [/Founditems] >=20 >=20 >=20 > Regards >=20 > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au >=20 >=20 >=20 >=20 > On 20 Mar 2014, at 11:57 am, Stuart Tremain = wrote: >=20 >> I am building a username/password system and want to encrypt the = passwords >>=20 >> However I have just realised that eqPASSWDdatarq=3D[URL][URL][ENCRYPT = seed=3D1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not = being able to get an encryption to ever be the same twice. >>=20 >> What is the best way of dealing with this ? >>=20 >> Govinda did post something a while ago where you would firstly do = this: >>=20 >> eqUSRNAMEdatarq=3D[_usrname] >>=20 >> And then use a showif in the found items to find the matching = encrypted password >>=20 >> [FoundItems] >> [ShowIf [_passwd]=3D[UnURL][Decrypt = seed=3D1234][DB_PASSWD][/Decrypt][/UnURL]] >> DATA FROM DB >> [/ShowIf] >> [/Founditems] >>=20 >> Is this the only way ? >>=20 >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >>=20 >>=20 >>=20 >>=20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us >=20 Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  2. Re: [WebDNA] Searching for encrypted values (Dan Strong 2014)
  3. Re: [WebDNA] Searching for encrypted values ("Psi Prime Inc, Matthew A Perosi " 2014)
  4. Re: [WebDNA] Searching for encrypted values (Dan Strong 2014)
  5. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  6. Re: [WebDNA] Searching for encrypted values (Brian Burton 2014)
  7. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  8. [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
CAUTION: LONGWINDED ANSWER COMING UP=85 first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE = DECRYPTED. Given enough time, someone may steal your users database, and as = unlikely as this is, your webdna code, figure out how to run the code, = and decrypt the database. Ok, that's a stretch, but it's better to learn = how to do things the right way from the beginning. =20 So as I've said, you don't want to store a password in a way it can be = decrypted. So now what? The answer is a hash. This is like feeding a cow = into a giant grinder and getting out sausage. The same cow, will always = make the same sausage, AND (in theory) no two different cows will ever = make the same sausage, AND you can't shove the sausage backwards thru = the machine and get a functional cow again. WebDNA has one built in hash function, the MD5 algorithm, and it's weak, = but we can work around that.=20 The reason MD5 is weak is it's easy to brute force every combination = starting at a,b,c,d...aa,ab,ac...aaa,aab,aac=85. With a 6 character = password, a $10,000 computer can try every possible combination in 1 day = 5 hours 22 seconds (or so I hear=85) Also, to speed things along, = hackers first try every other password ever recovered previously in a = "low hanging fruit" attempt, and then try every word in the dictionary, = and proper nouns. (including prepending and appending 2-4 digit numbers = and substituting numbers for vowels (yeah, you're so original, aren't = you.)) Where was I, oh, so we need to use MD5, but make it more secure. One way = is to add a little extra text, to increase the length of the password = your user enters, this is called "salting" the password. Before you = first compute the encrypted password for the first time, you generate a = salt variable filling it with some random numbers or characters, and = then append or prepend that to the password to be hashed. Save the hash = and the salt in the users database. When you decrypt it, simply take the = users entered password, retrieve the salt, add it to the password, and = hash it and see if the values match.=20 Example: to store the password the first time: = [text]salt=3D[random][random][random][random][random][random][random][rand= om][random][random][random][/text] [text show=3Df]passhash=3D[encrypt = method=3DAPOP][_password1][salt][/encrypt][/text] [append db=3Dmyusers.db blah = blah]username=3D[_username]&password=3D[passhash]&salt=3D[salt][/append] to compare it [search db=3Dmyusers.db&eqUSERNAMEdata=3D[_username]] [founditems] [!]only happens if the user name exists=85[/!] [text]storedpw=3D[password][/text] [text]storedsalt=3D[salt][/text] [/founditems] [/search] [text show=3Df]temppasshash=3D[encrypt = method=3DAPOP][_password][storedsalt][/encrypt][/text] [showif [storedpw]=3D[temppasshash]] do something [/showif] I don't like storing salt in the database. It's just there, waiting to = be stolen right with the password. I suppose you could encrypt the salt, = but then you have to decrypt it too. What I do now (although this is = going to change since i just thought of something better) is have some = static and very long text hidden in the code that does the passwords = (not in the database.) This is not the text I use, but you get the = point... [text]before=3D'Twas brillig, and the slithy toves Did gyre and gimble in the wabe; All mimsy were the borogoves, And the mome raths outgrabe. "Beware the Jabberwock, my son! The jaws that bite, the claws that catch! Beware the Jubjub bird, and shun The frumious Bandersnatch!"[/text] [text]after=3DHe took his vorpal sword in hand: Long time the manxome foe he sought=97 So rested he by the Tumtum tree, And stood awhile in thought. And as in uffish thought he stood, The Jabberwock, with eyes of flame, Came whiffling through the tulgey wood, And burbled as it came![/text] [text show=3Df]_MyEPass=3D[encrypt = method=3DAPOP][before][_password][after][/encrypt][/text] [search = db=3Dmyusers.db&eqMYUSERNAMEdatarq=3D[url][_username][/url]&eqMYEPASSdatar= q=3D[_MyEPass]&LOGINdatarq=3DT] [if "[numfound]"=3D"1"] [then][!]----- one match-----[/!] [!][/!] [/then] [else][!]----- no match-----[/!] [redirect url=3Dhttp://www.goaway.com] [/else] [/if] [/search] three future improvements: (i'll leave these as an exercise for you, = dear reader) a) multiple rounds of hashes, feed the results of one hash right back = into the process and do it again. (I'm led to believe some of the = banking industry uses MD5, but goes thru 8000 iterations of hashing. = Probably why it takes 30 seconds to log onto my bank's slow website.) b) here's a fun one: keep some long block of text, but add a stored = salt. all the salt indicates are the offset from the beginning,middle = and end of the text where to truncate the text and where to put the = password. if anyone steals the users database, they will think the salt = is literal and try pre and appending it. c) use WebDNAs ability to encrypt a template to hide the code you come = up with that does your password magic.=20 Thoughts, questions, suggestions? Brian B. Burton On Mar 19, 2014, at 8:02 PM, Stuart Tremain wrote: > Correction: >=20 > [founditems] > [ShowIf [_passwd]=3D[Decrypt = seed=3D1234][unurl][DB_PASSWD][/UnURL][/Decrypt]] > DATA FROM DB > [/ShowIf] > [/Founditems] >=20 >=20 >=20 > Regards >=20 > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au >=20 >=20 >=20 >=20 > On 20 Mar 2014, at 11:57 am, Stuart Tremain = wrote: >=20 >> I am building a username/password system and want to encrypt the = passwords >>=20 >> However I have just realised that eqPASSWDdatarq=3D[url][url][ENCRYPT = seed=3D1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not = being able to get an encryption to ever be the same twice. >>=20 >> What is the best way of dealing with this ? >>=20 >> Govinda did post something a while ago where you would firstly do = this: >>=20 >> eqUSRNAMEdatarq=3D[_usrname] >>=20 >> And then use a showif in the found items to find the matching = encrypted password >>=20 >> [founditems] >> [ShowIf [_passwd]=3D[unurl][Decrypt = seed=3D1234][DB_PASSWD][/Decrypt][/UnURL]] >> DATA FROM DB >> [/ShowIf] >> [/Founditems] >>=20 >> Is this the only way ? >>=20 >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >>=20 >>=20 >>=20 >>=20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us >=20 Brian Burton

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[lineitems] and [writefile] (1998) [WebDNA] Server load (2008) Format of Required fields error message (1997) wierd [cart] action! (1997) WebCat2 beta 11 - new prefs ... (1997) $purchase WITHOUT creditcar (1997) typhoon... (1997) WebDNA Solutions ... sorry! (1997) Sendmail problem (2001) Alternate Cookie location (2001) WebCat2b15MacPlugIn - [authenticate] not [protect] (1997) Why isn't this working (1999) pass a captured value (2004) Summing fields (1997) WebDNA Solutions ... (1997) Shell and telnet (2002) Re:emailer 150 (1997) Nested tags count question (1997) Calendar (1997) Country & Ship-to address & other fields ? (1997)