Re: [WebDNA] Searching for encrypted values

This WebDNA talk-list message is from

2014


It keeps the original formatting.
numero = 111245
interpreted = N
texte = Wow .... longest WebDNA response in history !! I may have to go and get a cow to test theory #1 Nice ideas there Brian, I will get to work on it :) Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 20 Mar 2014, at 1:17 pm, Brian Burton wrote: > CAUTION: LONGWINDED ANSWER COMING UP=85 >=20 > first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE = DECRYPTED. >=20 > Given enough time, someone may steal your users database, and as = unlikely as this is, your webdna code, figure out how to run the code, = and decrypt the database. Ok, that's a stretch, but it's better to learn = how to do things the right way from the beginning. =20 >=20 > So as I've said, you don't want to store a password in a way it can be = decrypted. So now what? The answer is a hash. This is like feeding a cow = into a giant grinder and getting out sausage. The same cow, will always = make the same sausage, AND (in theory) no two different cows will ever = make the same sausage, AND you can't shove the sausage backwards thru = the machine and get a functional cow again. >=20 > WebDNA has one built in hash function, the MD5 algorithm, and it's = weak, but we can work around that.=20 >=20 > The reason MD5 is weak is it's easy to brute force every combination = starting at a,b,c,d...aa,ab,ac...aaa,aab,aac=85. With a 6 character = password, a $10,000 computer can try every possible combination in 1 day = 5 hours 22 seconds (or so I hear=85) Also, to speed things along, = hackers first try every other password ever recovered previously in a = "low hanging fruit" attempt, and then try every word in the dictionary, = and proper nouns. (including prepending and appending 2-4 digit numbers = and substituting numbers for vowels (yeah, you're so original, aren't = you.)) >=20 > Where was I, oh, so we need to use MD5, but make it more secure. One = way is to add a little extra text, to increase the length of the = password your user enters, this is called "salting" the password. = Before you first compute the encrypted password for the first time, you = generate a salt variable filling it with some random numbers or = characters, and then append or prepend that to the password to be = hashed. Save the hash and the salt in the users database. When you = decrypt it, simply take the users entered password, retrieve the salt, = add it to the password, and hash it and see if the values match.=20 >=20 > Example: >=20 > to store the password the first time: > = [text]salt=3D[random][random][random][random][random][random][random][rand= om][random][random][random][/text] > [text show=3Df]passhash=3D[encrypt = method=3DAPOP][_password1][salt][/encrypt][/text] > [append db=3Dmyusers.db blah = blah]username=3D[_username]&password=3D[passhash]&salt=3D[salt][/append] >=20 > to compare it > [search db=3Dmyusers.db&eqUSERNAMEdata=3D[_username]] > [founditems] [!]only happens if the user name exists=85[/!] > [text]storedpw=3D[password][/text] > [text]storedsalt=3D[salt][/text] > [/founditems] > [/search] > [text show=3Df]temppasshash=3D[encrypt = method=3DAPOP][_password][storedsalt][/encrypt][/text] > [showif [storedpw]=3D[temppasshash]] do something [/showif] >=20 > I don't like storing salt in the database. It's just there, waiting to = be stolen right with the password. I suppose you could encrypt the salt, = but then you have to decrypt it too. What I do now (although this is = going to change since i just thought of something better) is have some = static and very long text hidden in the code that does the passwords = (not in the database.) This is not the text I use, but you get the = point... >=20 > [text]before=3D'Twas brillig, and the slithy toves > Did gyre and gimble in the wabe; > All mimsy were the borogoves, > And the mome raths outgrabe. >=20 > "Beware the Jabberwock, my son! > The jaws that bite, the claws that catch! > Beware the Jubjub bird, and shun > The frumious Bandersnatch!"[/text] >=20 > [text]after=3DHe took his vorpal sword in hand: > Long time the manxome foe he sought=97 > So rested he by the Tumtum tree, > And stood awhile in thought. >=20 > And as in uffish thought he stood, > The Jabberwock, with eyes of flame, > Came whiffling through the tulgey wood, > And burbled as it came![/text] >=20 > [text show=3Df]_MyEPass=3D[encrypt = method=3DAPOP][before][_password][after][/encrypt][/text] >=20 > [search = db=3Dmyusers.db&eqMYUSERNAMEdatarq=3D[url][_username][/url]&eqMYEPASSdatar= q=3D[_MyEPass]&LOGINdatarq=3DT] > [if "[numfound]"=3D"1"] > [then][!]----- one match-----[/!] > [!][/!] > [/then] > [else][!]----- no match-----[/!] > [redirect url=3Dhttp://www.goaway.com] > [/else] > [/if] > [/search] >=20 >=20 > three future improvements: (i'll leave these as an exercise for you, = dear reader) >=20 > a) multiple rounds of hashes, feed the results of one hash right back = into the process and do it again. (I'm led to believe some of the = banking industry uses MD5, but goes thru 8000 iterations of hashing. = Probably why it takes 30 seconds to log onto my bank's slow website.) >=20 > b) here's a fun one: keep some long block of text, but add a stored = salt. all the salt indicates are the offset from the beginning,middle = and end of the text where to truncate the text and where to put the = password. if anyone steals the users database, they will think the salt = is literal and try pre and appending it. >=20 > c) use WebDNAs ability to encrypt a template to hide the code you come = up with that does your password magic.=20 >=20 > Thoughts, questions, suggestions? >=20 > Brian B. Burton >=20 >=20 >=20 > On Mar 19, 2014, at 8:02 PM, Stuart Tremain = wrote: >=20 >> Correction: >>=20 >> [FoundItems] >> [ShowIf [_passwd]=3D[Decrypt = seed=3D1234][UnURL][DB_PASSWD][/UnURL][/Decrypt]] >> DATA FROM DB >> [/ShowIf] >> [/Founditems] >>=20 >>=20 >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >>=20 >>=20 >>=20 >>=20 >> On 20 Mar 2014, at 11:57 am, Stuart Tremain = wrote: >>=20 >>> I am building a username/password system and want to encrypt the = passwords >>>=20 >>> However I have just realised that eqPASSWDdatarq=3D[URL][URL][ENCRYPT = seed=3D1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not = being able to get an encryption to ever be the same twice. >>>=20 >>> What is the best way of dealing with this ? >>>=20 >>> Govinda did post something a while ago where you would firstly do = this: >>>=20 >>> eqUSRNAMEdatarq=3D[_usrname] >>>=20 >>> And then use a showif in the found items to find the matching = encrypted password >>>=20 >>> [FoundItems] >>> [ShowIf [_passwd]=3D[UnURL][Decrypt = seed=3D1234][DB_PASSWD][/Decrypt][/UnURL]] >>> DATA FROM DB >>> [/ShowIf] >>> [/Founditems] >>>=20 >>> Is this the only way ? >>>=20 >>>=20 >>> Regards >>>=20 >>> Stuart Tremain >>> IDFK Web Developments >>> AUSTRALIA >>> webdna@idfk.com.au >>>=20 >>>=20 >>>=20 >>>=20 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >>=20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >>=20 >=20 >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  2. Re: [WebDNA] Searching for encrypted values (Dan Strong 2014)
  3. Re: [WebDNA] Searching for encrypted values ("Psi Prime Inc, Matthew A Perosi " 2014)
  4. Re: [WebDNA] Searching for encrypted values (Dan Strong 2014)
  5. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  6. Re: [WebDNA] Searching for encrypted values (Brian Burton 2014)
  7. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  8. [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
Wow .... longest WebDNA response in history !! I may have to go and get a cow to test theory #1 Nice ideas there Brian, I will get to work on it :) Regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au On 20 Mar 2014, at 1:17 pm, Brian Burton wrote: > CAUTION: LONGWINDED ANSWER COMING UP=85 >=20 > first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE = DECRYPTED. >=20 > Given enough time, someone may steal your users database, and as = unlikely as this is, your webdna code, figure out how to run the code, = and decrypt the database. Ok, that's a stretch, but it's better to learn = how to do things the right way from the beginning. =20 >=20 > So as I've said, you don't want to store a password in a way it can be = decrypted. So now what? The answer is a hash. This is like feeding a cow = into a giant grinder and getting out sausage. The same cow, will always = make the same sausage, AND (in theory) no two different cows will ever = make the same sausage, AND you can't shove the sausage backwards thru = the machine and get a functional cow again. >=20 > WebDNA has one built in hash function, the MD5 algorithm, and it's = weak, but we can work around that.=20 >=20 > The reason MD5 is weak is it's easy to brute force every combination = starting at a,b,c,d...aa,ab,ac...aaa,aab,aac=85. With a 6 character = password, a $10,000 computer can try every possible combination in 1 day = 5 hours 22 seconds (or so I hear=85) Also, to speed things along, = hackers first try every other password ever recovered previously in a = "low hanging fruit" attempt, and then try every word in the dictionary, = and proper nouns. (including prepending and appending 2-4 digit numbers = and substituting numbers for vowels (yeah, you're so original, aren't = you.)) >=20 > Where was I, oh, so we need to use MD5, but make it more secure. One = way is to add a little extra text, to increase the length of the = password your user enters, this is called "salting" the password. = Before you first compute the encrypted password for the first time, you = generate a salt variable filling it with some random numbers or = characters, and then append or prepend that to the password to be = hashed. Save the hash and the salt in the users database. When you = decrypt it, simply take the users entered password, retrieve the salt, = add it to the password, and hash it and see if the values match.=20 >=20 > Example: >=20 > to store the password the first time: > = [text]salt=3D[random][random][random][random][random][random][random][rand= om][random][random][random][/text] > [text show=3Df]passhash=3D[encrypt = method=3DAPOP][_password1][salt][/encrypt][/text] > [append db=3Dmyusers.db blah = blah]username=3D[_username]&password=3D[passhash]&salt=3D[salt][/append] >=20 > to compare it > [search db=3Dmyusers.db&eqUSERNAMEdata=3D[_username]] > [founditems] [!]only happens if the user name exists=85[/!] > [text]storedpw=3D[password][/text] > [text]storedsalt=3D[salt][/text] > [/founditems] > [/search] > [text show=3Df]temppasshash=3D[encrypt = method=3DAPOP][_password][storedsalt][/encrypt][/text] > [showif [storedpw]=3D[temppasshash]] do something [/showif] >=20 > I don't like storing salt in the database. It's just there, waiting to = be stolen right with the password. I suppose you could encrypt the salt, = but then you have to decrypt it too. What I do now (although this is = going to change since i just thought of something better) is have some = static and very long text hidden in the code that does the passwords = (not in the database.) This is not the text I use, but you get the = point... >=20 > [text]before=3D'Twas brillig, and the slithy toves > Did gyre and gimble in the wabe; > All mimsy were the borogoves, > And the mome raths outgrabe. >=20 > "Beware the Jabberwock, my son! > The jaws that bite, the claws that catch! > Beware the Jubjub bird, and shun > The frumious Bandersnatch!"[/text] >=20 > [text]after=3DHe took his vorpal sword in hand: > Long time the manxome foe he sought=97 > So rested he by the Tumtum tree, > And stood awhile in thought. >=20 > And as in uffish thought he stood, > The Jabberwock, with eyes of flame, > Came whiffling through the tulgey wood, > And burbled as it came![/text] >=20 > [text show=3Df]_MyEPass=3D[encrypt = method=3DAPOP][before][_password][after][/encrypt][/text] >=20 > [search = db=3Dmyusers.db&eqMYUSERNAMEdatarq=3D[url][_username][/url]&eqMYEPASSdatar= q=3D[_MyEPass]&LOGINdatarq=3DT] > [if "[numfound]"=3D"1"] > [then][!]----- one match-----[/!] > [!][/!] > [/then] > [else][!]----- no match-----[/!] > [redirect url=3Dhttp://www.goaway.com] > [/else] > [/if] > [/search] >=20 >=20 > three future improvements: (i'll leave these as an exercise for you, = dear reader) >=20 > a) multiple rounds of hashes, feed the results of one hash right back = into the process and do it again. (I'm led to believe some of the = banking industry uses MD5, but goes thru 8000 iterations of hashing. = Probably why it takes 30 seconds to log onto my bank's slow website.) >=20 > b) here's a fun one: keep some long block of text, but add a stored = salt. all the salt indicates are the offset from the beginning,middle = and end of the text where to truncate the text and where to put the = password. if anyone steals the users database, they will think the salt = is literal and try pre and appending it. >=20 > c) use WebDNAs ability to encrypt a template to hide the code you come = up with that does your password magic.=20 >=20 > Thoughts, questions, suggestions? >=20 > Brian B. Burton >=20 >=20 >=20 > On Mar 19, 2014, at 8:02 PM, Stuart Tremain = wrote: >=20 >> Correction: >>=20 >> [founditems] >> [ShowIf [_passwd]=3D[Decrypt = seed=3D1234][unurl][DB_PASSWD][/UnURL][/Decrypt]] >> DATA FROM DB >> [/ShowIf] >> [/Founditems] >>=20 >>=20 >>=20 >> Regards >>=20 >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >>=20 >>=20 >>=20 >>=20 >> On 20 Mar 2014, at 11:57 am, Stuart Tremain = wrote: >>=20 >>> I am building a username/password system and want to encrypt the = passwords >>>=20 >>> However I have just realised that eqPASSWDdatarq=3D[url][url][ENCRYPT = seed=3D1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not = being able to get an encryption to ever be the same twice. >>>=20 >>> What is the best way of dealing with this ? >>>=20 >>> Govinda did post something a while ago where you would firstly do = this: >>>=20 >>> eqUSRNAMEdatarq=3D[_usrname] >>>=20 >>> And then use a showif in the found items to find the matching = encrypted password >>>=20 >>> [founditems] >>> [ShowIf [_passwd]=3D[unurl][Decrypt = seed=3D1234][DB_PASSWD][/Decrypt][/UnURL]] >>> DATA FROM DB >>> [/ShowIf] >>> [/Founditems] >>>=20 >>> Is this the only way ? >>>=20 >>>=20 >>> Regards >>>=20 >>> Stuart Tremain >>> IDFK Web Developments >>> AUSTRALIA >>> webdna@idfk.com.au >>>=20 >>>=20 >>>=20 >>>=20 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >>=20 >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >>=20 >=20 >=20 > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Emailer errors (1997) Making Thumbnail Graphics (1997) How To get Some Help (2003) can WC render sites out? (1997) Variables for chat (1997) Again: tcpconnect problem with authorize.net (2003) Price problem (1997) U&P IIS concept (1998) WebCatalog can't find database (1997) WebCat2.0 [format thousands .0f] no go (1997) [isfile] ? (1997) Weird variable behaviour (2002) Please, no more comparisons between operating systems (1998) multiple search commands (1997) question about checkboxes (1999) Server crash (1997) [WebDNA] mod_deflate and webdna (2017) WebCat2b12 - nesting [tags] (1997) Inventory lookup & display... (2003) Include vs. lookup? (1998)