Re: [WebDNA] Searching for encrypted values
This WebDNA talk-list message is from 2014
It keeps the original formatting.
numero = 111245
interpreted = N
texte = Wow .... longest WebDNA response in history !!I may have to go and get a cow to test theory #1Nice ideas there Brian, I will get to work on it :)RegardsStuart TremainIDFK Web DevelopmentsAUSTRALIAwebdna@idfk.com.auOn 20 Mar 2014, at 1:17 pm, Brian Burton
wrote:> CAUTION: LONGWINDED ANSWER COMING UP=85>=20> first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE =DECRYPTED.>=20> Given enough time, someone may steal your users database, and as =unlikely as this is, your webdna code, figure out how to run the code, =and decrypt the database. Ok, that's a stretch, but it's better to learn =how to do things the right way from the beginning. =20>=20> So as I've said, you don't want to store a password in a way it can be =decrypted. So now what? The answer is a hash. This is like feeding a cow =into a giant grinder and getting out sausage. The same cow, will always =make the same sausage, AND (in theory) no two different cows will ever =make the same sausage, AND you can't shove the sausage backwards thru =the machine and get a functional cow again.>=20> WebDNA has one built in hash function, the MD5 algorithm, and it's =weak, but we can work around that.=20>=20> The reason MD5 is weak is it's easy to brute force every combination =starting at a,b,c,d...aa,ab,ac...aaa,aab,aac=85. With a 6 character =password, a $10,000 computer can try every possible combination in 1 day =5 hours 22 seconds (or so I hear=85) Also, to speed things along, =hackers first try every other password ever recovered previously in a ="low hanging fruit" attempt, and then try every word in the dictionary, =and proper nouns. (including prepending and appending 2-4 digit numbers =and substituting numbers for vowels (yeah, you're so original, aren't =you.))>=20> Where was I, oh, so we need to use MD5, but make it more secure. One =way is to add a little extra text, to increase the length of the =password your user enters, this is called "salting" the password. =Before you first compute the encrypted password for the first time, you =generate a salt variable filling it with some random numbers or =characters, and then append or prepend that to the password to be =hashed. Save the hash and the salt in the users database. When you =decrypt it, simply take the users entered password, retrieve the salt, =add it to the password, and hash it and see if the values match.=20>=20> Example:>=20> to store the password the first time:> =[text]salt=3D[random][random][random][random][random][random][random][rand=om][random][random][random][/text]> [text show=3Df]passhash=3D[encrypt =method=3DAPOP][_password1][salt][/encrypt][/text]> [append db=3Dmyusers.db blah =blah]username=3D[_username]&password=3D[passhash]&salt=3D[salt][/append]>=20> to compare it> [search db=3Dmyusers.db&eqUSERNAMEdata=3D[_username]]> [founditems] [!]only happens if the user name exists=85[/!]> [text]storedpw=3D[password][/text]> [text]storedsalt=3D[salt][/text]> [/founditems]> [/search]> [text show=3Df]temppasshash=3D[encrypt =method=3DAPOP][_password][storedsalt][/encrypt][/text]> [showif [storedpw]=3D[temppasshash]] do something [/showif]>=20> I don't like storing salt in the database. It's just there, waiting to =be stolen right with the password. I suppose you could encrypt the salt, =but then you have to decrypt it too. What I do now (although this is =going to change since i just thought of something better) is have some =static and very long text hidden in the code that does the passwords =(not in the database.) This is not the text I use, but you get the =point...>=20> [text]before=3D'Twas brillig, and the slithy toves> Did gyre and gimble in the wabe;> All mimsy were the borogoves,> And the mome raths outgrabe.>=20> "Beware the Jabberwock, my son!> The jaws that bite, the claws that catch!> Beware the Jubjub bird, and shun> The frumious Bandersnatch!"[/text]>=20> [text]after=3DHe took his vorpal sword in hand:> Long time the manxome foe he sought=97> So rested he by the Tumtum tree,> And stood awhile in thought.>=20> And as in uffish thought he stood,> The Jabberwock, with eyes of flame,> Came whiffling through the tulgey wood,> And burbled as it came![/text]>=20> [text show=3Df]_MyEPass=3D[encrypt =method=3DAPOP][before][_password][after][/encrypt][/text]>=20> [search =db=3Dmyusers.db&eqMYUSERNAMEdatarq=3D[url][_username][/url]&eqMYEPASSdatar=q=3D[_MyEPass]&LOGINdatarq=3DT]> [if "[numfound]"=3D"1"]> [then][!]----- one match-----[/!]> [!][/!]> [/then]> [else][!]----- no match-----[/!]> [redirect url=3Dhttp://www.goaway.com]> [/else]> [/if]> [/search]>=20>=20> three future improvements: (i'll leave these as an exercise for you, =dear reader)>=20> a) multiple rounds of hashes, feed the results of one hash right back =into the process and do it again. (I'm led to believe some of the =banking industry uses MD5, but goes thru 8000 iterations of hashing. =Probably why it takes 30 seconds to log onto my bank's slow website.)>=20> b) here's a fun one: keep some long block of text, but add a stored =salt. all the salt indicates are the offset from the beginning,middle =and end of the text where to truncate the text and where to put the =password. if anyone steals the users database, they will think the salt =is literal and try pre and appending it.>=20> c) use WebDNAs ability to encrypt a template to hide the code you come =up with that does your password magic.=20>=20> Thoughts, questions, suggestions?>=20> Brian B. Burton>=20>=20>=20> On Mar 19, 2014, at 8:02 PM, Stuart Tremain =wrote:>=20>> Correction:>>=20>> [FoundItems]>> [ShowIf [_passwd]=3D[Decrypt =seed=3D1234][UnURL][DB_PASSWD][/UnURL][/Decrypt]]>> DATA FROM DB>> [/ShowIf]>> [/Founditems]>>=20>>=20>>=20>> Regards>>=20>> Stuart Tremain>> IDFK Web Developments>> AUSTRALIA>> webdna@idfk.com.au>>=20>>=20>>=20>>=20>> On 20 Mar 2014, at 11:57 am, Stuart Tremain =wrote:>>=20>>> I am building a username/password system and want to encrypt the =passwords>>>=20>>> However I have just realised that eqPASSWDdatarq=3D[URL][URL][ENCRYPT =seed=3D1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not =being able to get an encryption to ever be the same twice.>>>=20>>> What is the best way of dealing with this ?>>>=20>>> Govinda did post something a while ago where you would firstly do =this:>>>=20>>> eqUSRNAMEdatarq=3D[_usrname]>>>=20>>> And then use a showif in the found items to find the matching =encrypted password>>>=20>>> [FoundItems]>>> [ShowIf [_passwd]=3D[UnURL][Decrypt =seed=3D1234][DB_PASSWD][/Decrypt][/UnURL]]>>> DATA FROM DB>>> [/ShowIf]>>> [/Founditems]>>>=20>>> Is this the only way ?>>>=20>>>=20>>> Regards>>>=20>>> Stuart Tremain>>> IDFK Web Developments>>> AUSTRALIA>>> webdna@idfk.com.au>>>=20>>>=20>>>=20>>>=20>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us>>> Bug Reporting: support@webdna.us>>=20>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us>>=20>=20>=20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Associated Messages, from the most recent to the oldest:
Wow .... longest WebDNA response in history !!I may have to go and get a cow to test theory #1Nice ideas there Brian, I will get to work on it :)RegardsStuart TremainIDFK Web DevelopmentsAUSTRALIAwebdna@idfk.com.auOn 20 Mar 2014, at 1:17 pm, Brian Burton wrote:> CAUTION: LONGWINDED ANSWER COMING UP=85>=20> first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE =DECRYPTED.>=20> Given enough time, someone may steal your users database, and as =unlikely as this is, your webdna code, figure out how to run the code, =and decrypt the database. Ok, that's a stretch, but it's better to learn =how to do things the right way from the beginning. =20>=20> So as I've said, you don't want to store a password in a way it can be =decrypted. So now what? The answer is a hash. This is like feeding a cow =into a giant grinder and getting out sausage. The same cow, will always =make the same sausage, AND (in theory) no two different cows will ever =make the same sausage, AND you can't shove the sausage backwards thru =the machine and get a functional cow again.>=20> WebDNA has one built in hash function, the MD5 algorithm, and it's =weak, but we can work around that.=20>=20> The reason MD5 is weak is it's easy to brute force every combination =starting at a,b,c,d...aa,ab,ac...aaa,aab,aac=85. With a 6 character =password, a $10,000 computer can try every possible combination in 1 day =5 hours 22 seconds (or so I hear=85) Also, to speed things along, =hackers first try every other password ever recovered previously in a ="low hanging fruit" attempt, and then try every word in the dictionary, =and proper nouns. (including prepending and appending 2-4 digit numbers =and substituting numbers for vowels (yeah, you're so original, aren't =you.))>=20> Where was I, oh, so we need to use MD5, but make it more secure. One =way is to add a little extra text, to increase the length of the =password your user enters, this is called "salting" the password. =Before you first compute the encrypted password for the first time, you =generate a salt variable filling it with some random numbers or =characters, and then append or prepend that to the password to be =hashed. Save the hash and the salt in the users database. When you =decrypt it, simply take the users entered password, retrieve the salt, =add it to the password, and hash it and see if the values match.=20>=20> Example:>=20> to store the password the first time:> =[text]salt=3D[random][random][random][random][random][random][random][rand=om][random][random][random][/text]> [text show=3Df]passhash=3D[encrypt =method=3DAPOP][_password1][salt][/encrypt][/text]> [append db=3Dmyusers.db blah =blah]username=3D[_username]&password=3D[passhash]&salt=3D[salt][/append]>=20> to compare it> [search db=3Dmyusers.db&eqUSERNAMEdata=3D[_username]]> [founditems] [!]only happens if the user name exists=85[/!]> [text]storedpw=3D[password][/text]> [text]storedsalt=3D[salt][/text]> [/founditems]> [/search]> [text show=3Df]temppasshash=3D[encrypt =method=3DAPOP][_password][storedsalt][/encrypt][/text]> [showif [storedpw]=3D[temppasshash]] do something [/showif]>=20> I don't like storing salt in the database. It's just there, waiting to =be stolen right with the password. I suppose you could encrypt the salt, =but then you have to decrypt it too. What I do now (although this is =going to change since i just thought of something better) is have some =static and very long text hidden in the code that does the passwords =(not in the database.) This is not the text I use, but you get the =point...>=20> [text]before=3D'Twas brillig, and the slithy toves> Did gyre and gimble in the wabe;> All mimsy were the borogoves,> And the mome raths outgrabe.>=20> "Beware the Jabberwock, my son!> The jaws that bite, the claws that catch!> Beware the Jubjub bird, and shun> The frumious Bandersnatch!"[/text]>=20> [text]after=3DHe took his vorpal sword in hand:> Long time the manxome foe he sought=97> So rested he by the Tumtum tree,> And stood awhile in thought.>=20> And as in uffish thought he stood,> The Jabberwock, with eyes of flame,> Came whiffling through the tulgey wood,> And burbled as it came![/text]>=20> [text show=3Df]_MyEPass=3D[encrypt =method=3DAPOP][before][_password][after][/encrypt][/text]>=20> [search =db=3Dmyusers.db&eqMYUSERNAMEdatarq=3D[url][_username][/url]&eqMYEPASSdatar=q=3D[_MyEPass]&LOGINdatarq=3DT]> [if "[numfound]"=3D"1"]> [then][!]----- one match-----[/!]> [!][/!]> [/then]> [else][!]----- no match-----[/!]> [redirect url=3Dhttp://www.goaway.com]> [/else]> [/if]> [/search]>=20>=20> three future improvements: (i'll leave these as an exercise for you, =dear reader)>=20> a) multiple rounds of hashes, feed the results of one hash right back =into the process and do it again. (I'm led to believe some of the =banking industry uses MD5, but goes thru 8000 iterations of hashing. =Probably why it takes 30 seconds to log onto my bank's slow website.)>=20> b) here's a fun one: keep some long block of text, but add a stored =salt. all the salt indicates are the offset from the beginning,middle =and end of the text where to truncate the text and where to put the =password. if anyone steals the users database, they will think the salt =is literal and try pre and appending it.>=20> c) use WebDNAs ability to encrypt a template to hide the code you come =up with that does your password magic.=20>=20> Thoughts, questions, suggestions?>=20> Brian B. Burton>=20>=20>=20> On Mar 19, 2014, at 8:02 PM, Stuart Tremain =wrote:>=20>> Correction:>>=20>> [founditems]>> [ShowIf [_passwd]=3D[Decrypt =seed=3D1234][unurl][DB_PASSWD][/UnURL][/Decrypt]]>> DATA FROM DB>> [/ShowIf]>> [/Founditems]>>=20>>=20>>=20>> Regards>>=20>> Stuart Tremain>> IDFK Web Developments>> AUSTRALIA>> webdna@idfk.com.au>>=20>>=20>>=20>>=20>> On 20 Mar 2014, at 11:57 am, Stuart Tremain =wrote:>>=20>>> I am building a username/password system and want to encrypt the =passwords>>>=20>>> However I have just realised that eqPASSWDdatarq=3D[url][url][ENCRYPT =seed=3D1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not =being able to get an encryption to ever be the same twice.>>>=20>>> What is the best way of dealing with this ?>>>=20>>> Govinda did post something a while ago where you would firstly do =this:>>>=20>>> eqUSRNAMEdatarq=3D[_usrname]>>>=20>>> And then use a showif in the found items to find the matching =encrypted password>>>=20>>> [founditems]>>> [ShowIf [_passwd]=3D[unurl][Decrypt =seed=3D1234][DB_PASSWD][/Decrypt][/UnURL]]>>> DATA FROM DB>>> [/ShowIf]>>> [/Founditems]>>>=20>>> Is this the only way ?>>>=20>>>=20>>> Regards>>>=20>>> Stuart Tremain>>> IDFK Web Developments>>> AUSTRALIA>>> webdna@idfk.com.au>>>=20>>>=20>>>=20>>>=20>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us>>> Bug Reporting: support@webdna.us>>=20>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> Bug Reporting: support@webdna.us>>=20>=20>=20> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> Bug Reporting: support@webdna.us
Stuart Tremain
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Emailer errors (1997)
Making Thumbnail Graphics (1997)
How To get Some Help (2003)
can WC render sites out? (1997)
Variables for chat (1997)
Again: tcpconnect problem with authorize.net (2003)
Price problem (1997)
U&P IIS concept (1998)
WebCatalog can't find database (1997)
WebCat2.0 [format thousands .0f] no go (1997)
[isfile] ? (1997)
Weird variable behaviour (2002)
Please, no more comparisons between operating systems (1998)
multiple search commands (1997)
question about checkboxes (1999)
Server crash (1997)
[WebDNA] mod_deflate and webdna (2017)
WebCat2b12 - nesting [tags] (1997)
Inventory lookup & display... (2003)
Include vs. lookup? (1998)