Re: [WebDNA] Searching for encrypted values

This WebDNA talk-list message is from

2014


It keeps the original formatting.
numero = 111247
interpreted = N
texte = Your Option C is something I've been toying with. I've also thought of creating a self destruct mechanism of the database with the secure information in it (passwords, account numbers) if the encrypted password template is tampered in any way... It's better to have a dead website that would have to be restored than to risk the wrath of the government agencies that come down on you if you are the cause of allowing secure information to get out into the wild. -Matt On 3/19/2014 10:17 PM, Brian Burton wrote: > CAUTION: LONGWINDED ANSWER COMING UP… > > first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE DECRYPTED. > > Given enough time, someone may steal your users database, and as unlikely as this is, your webdna code, figure out how to run the code, and decrypt the database. Ok, that's a stretch, but it's better to learn how to do things the right way from the beginning. > > So as I've said, you don't want to store a password in a way it can be decrypted. So now what? The answer is a hash. This is like feeding a cow into a giant grinder and getting out sausage. The same cow, will always make the same sausage, AND (in theory) no two different cows will ever make the same sausage, AND you can't shove the sausage backwards thru the machine and get a functional cow again. > > WebDNA has one built in hash function, the MD5 algorithm, and it's weak, but we can work around that. > > The reason MD5 is weak is it's easy to brute force every combination starting at a,b,c,d...aa,ab,ac...aaa,aab,aac…. With a 6 character password, a $10,000 computer can try every possible combination in 1 day 5 hours 22 seconds (or so I hear…) Also, to speed things along, hackers first try every other password ever recovered previously in a "low hanging fruit" attempt, and then try every word in the dictionary, and proper nouns. (including prepending and appending 2-4 digit numbers and substituting numbers for vowels (yeah, you're so original, aren't you.)) > > Where was I, oh, so we need to use MD5, but make it more secure. One way is to add a little extra text, to increase the length of the password your user enters, this is called "salting" the password. Before you first compute the encrypted password for the first time, you generate a salt variable filling it with some random numbers or characters, and then append or prepend that to the password to be hashed. Save the hash and the salt in the users database. When you decrypt it, simply take the users entered password, retrieve the salt, add it to the password, and hash it and see if the values match. > > Example: > > to store the password the first time: > [text]salt=[random][random][random][random][random][random][random][random][random][random][random][/text] > [text show=f]passhash=[encrypt method=APOP][_password1][salt][/encrypt][/text] > [append db=myusers.db blah blah]username=[_username]&password=[passhash]&salt=[salt][/append] > > to compare it > [search db=myusers.db&eqUSERNAMEdata=[_username]] > [founditems] [!]only happens if the user name exists…[/!] > [text]storedpw=[password][/text] > [text]storedsalt=[salt][/text] > [/founditems] > [/search] > [text show=f]temppasshash=[encrypt method=APOP][_password][storedsalt][/encrypt][/text] > [showif [storedpw]=[temppasshash]] do something [/showif] > > I don't like storing salt in the database. It's just there, waiting to be stolen right with the password. I suppose you could encrypt the salt, but then you have to decrypt it too. What I do now (although this is going to change since i just thought of something better) is have some static and very long text hidden in the code that does the passwords (not in the database.) This is not the text I use, but you get the point... > > [text]before='Twas brillig, and the slithy toves > Did gyre and gimble in the wabe; > All mimsy were the borogoves, > And the mome raths outgrabe. > > "Beware the Jabberwock, my son! > The jaws that bite, the claws that catch! > Beware the Jubjub bird, and shun > The frumious Bandersnatch!"[/text] > > [text]after=He took his vorpal sword in hand: > Long time the manxome foe he sought— > So rested he by the Tumtum tree, > And stood awhile in thought. > > And as in uffish thought he stood, > The Jabberwock, with eyes of flame, > Came whiffling through the tulgey wood, > And burbled as it came![/text] > > [text show=f]_MyEPass=[encrypt method=APOP][before][_password][after][/encrypt][/text] > > [search db=myusers.db&eqMYUSERNAMEdatarq=[url][_username][/url]&eqMYEPASSdatarq=[_MyEPass]&LOGINdatarq=T] > [if "[numfound]"="1"] > [then][!]----- one match-----[/!] > [!][/!] > [/then] > [else][!]----- no match-----[/!] > [redirect url=http://www.goaway.com] > [/else] > [/if] > [/search] > > > three future improvements: (i'll leave these as an exercise for you, dear reader) > > a) multiple rounds of hashes, feed the results of one hash right back into the process and do it again. (I'm led to believe some of the banking industry uses MD5, but goes thru 8000 iterations of hashing. Probably why it takes 30 seconds to log onto my bank's slow website.) > > b) here's a fun one: keep some long block of text, but add a stored salt. all the salt indicates are the offset from the beginning,middle and end of the text where to truncate the text and where to put the password. if anyone steals the users database, they will think the salt is literal and try pre and appending it. > > c) use WebDNAs ability to encrypt a template to hide the code you come up with that does your password magic. > > Thoughts, questions, suggestions? > > Brian B. Burton > > > > On Mar 19, 2014, at 8:02 PM, Stuart Tremain wrote: > >> Correction: >> >> [FoundItems] >> [ShowIf [_passwd]=[Decrypt seed=1234][UnURL][DB_PASSWD][/UnURL][/Decrypt]] >> DATA FROM DB >> [/ShowIf] >> [/Founditems] >> >> >> >> Regards >> >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >> >> >> >> >> On 20 Mar 2014, at 11:57 am, Stuart Tremain wrote: >> >>> I am building a username/password system and want to encrypt the passwords >>> >>> However I have just realised that eqPASSWDdatarq=[URL][URL][ENCRYPT seed=1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not being able to get an encryption to ever be the same twice. >>> >>> What is the best way of dealing with this ? >>> >>> Govinda did post something a while ago where you would firstly do this: >>> >>> eqUSRNAMEdatarq=[_usrname] >>> >>> And then use a showif in the found items to find the matching encrypted password >>> >>> [FoundItems] >>> [ShowIf [_passwd]=[UnURL][Decrypt seed=1234][DB_PASSWD][/Decrypt][/UnURL]] >>> DATA FROM DB >>> [/ShowIf] >>> [/Founditems] >>> >>> Is this the only way ? >>> >>> >>> Regards >>> >>> Stuart Tremain >>> IDFK Web Developments >>> AUSTRALIA >>> webdna@idfk.com.au >>> >>> >>> >>> >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >> > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us > > -- Matthew A Perosi Corporate Consultant Mobile Marketing Expert Senior Web Developer SEO Analyst & Educator matt@psiprime.com Psi Prime, Inc. 323 Union Blvd. Totowa, NJ 07512 Direct: 888.872.0274 Fax: 888.488.5924 http://www.perosi.com Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  2. Re: [WebDNA] Searching for encrypted values (Dan Strong 2014)
  3. Re: [WebDNA] Searching for encrypted values ("Psi Prime Inc, Matthew A Perosi " 2014)
  4. Re: [WebDNA] Searching for encrypted values (Dan Strong 2014)
  5. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  6. Re: [WebDNA] Searching for encrypted values (Brian Burton 2014)
  7. Re: [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
  8. [WebDNA] Searching for encrypted values (Stuart Tremain 2014)
Your Option C is something I've been toying with. I've also thought of creating a self destruct mechanism of the database with the secure information in it (passwords, account numbers) if the encrypted password template is tampered in any way... It's better to have a dead website that would have to be restored than to risk the wrath of the government agencies that come down on you if you are the cause of allowing secure information to get out into the wild. -Matt On 3/19/2014 10:17 PM, Brian Burton wrote: > CAUTION: LONGWINDED ANSWER COMING UP… > > first and foremost: DO NOT EVER STORE PASSWORDS IN A WAY THEY CAN BE DECRYPTED. > > Given enough time, someone may steal your users database, and as unlikely as this is, your webdna code, figure out how to run the code, and decrypt the database. Ok, that's a stretch, but it's better to learn how to do things the right way from the beginning. > > So as I've said, you don't want to store a password in a way it can be decrypted. So now what? The answer is a hash. This is like feeding a cow into a giant grinder and getting out sausage. The same cow, will always make the same sausage, AND (in theory) no two different cows will ever make the same sausage, AND you can't shove the sausage backwards thru the machine and get a functional cow again. > > WebDNA has one built in hash function, the MD5 algorithm, and it's weak, but we can work around that. > > The reason MD5 is weak is it's easy to brute force every combination starting at a,b,c,d...aa,ab,ac...aaa,aab,aac…. With a 6 character password, a $10,000 computer can try every possible combination in 1 day 5 hours 22 seconds (or so I hear…) Also, to speed things along, hackers first try every other password ever recovered previously in a "low hanging fruit" attempt, and then try every word in the dictionary, and proper nouns. (including prepending and appending 2-4 digit numbers and substituting numbers for vowels (yeah, you're so original, aren't you.)) > > Where was I, oh, so we need to use MD5, but make it more secure. One way is to add a little extra text, to increase the length of the password your user enters, this is called "salting" the password. Before you first compute the encrypted password for the first time, you generate a salt variable filling it with some random numbers or characters, and then append or prepend that to the password to be hashed. Save the hash and the salt in the users database. When you decrypt it, simply take the users entered password, retrieve the salt, add it to the password, and hash it and see if the values match. > > Example: > > to store the password the first time: > [text]salt=[random][random][random][random][random][random][random][random][random][random][random][/text] > [text show=f]passhash=[encrypt method=APOP][_password1][salt][/encrypt][/text] > [append db=myusers.db blah blah]username=[_username]&password=[passhash]&salt=[salt][/append] > > to compare it > [search db=myusers.db&eqUSERNAMEdata=[_username]] > [founditems] [!]only happens if the user name exists…[/!] > [text]storedpw=[password][/text] > [text]storedsalt=[salt][/text] > [/founditems] > [/search] > [text show=f]temppasshash=[encrypt method=APOP][_password][storedsalt][/encrypt][/text] > [showif [storedpw]=[temppasshash]] do something [/showif] > > I don't like storing salt in the database. It's just there, waiting to be stolen right with the password. I suppose you could encrypt the salt, but then you have to decrypt it too. What I do now (although this is going to change since i just thought of something better) is have some static and very long text hidden in the code that does the passwords (not in the database.) This is not the text I use, but you get the point... > > [text]before='Twas brillig, and the slithy toves > Did gyre and gimble in the wabe; > All mimsy were the borogoves, > And the mome raths outgrabe. > > "Beware the Jabberwock, my son! > The jaws that bite, the claws that catch! > Beware the Jubjub bird, and shun > The frumious Bandersnatch!"[/text] > > [text]after=He took his vorpal sword in hand: > Long time the manxome foe he sought— > So rested he by the Tumtum tree, > And stood awhile in thought. > > And as in uffish thought he stood, > The Jabberwock, with eyes of flame, > Came whiffling through the tulgey wood, > And burbled as it came![/text] > > [text show=f]_MyEPass=[encrypt method=APOP][before][_password][after][/encrypt][/text] > > [search db=myusers.db&eqMYUSERNAMEdatarq=[url][_username][/url]&eqMYEPASSdatarq=[_MyEPass]&LOGINdatarq=T] > [if "[numfound]"="1"] > [then][!]----- one match-----[/!] > [!][/!] > [/then] > [else][!]----- no match-----[/!] > [redirect url=http://www.goaway.com] > [/else] > [/if] > [/search] > > > three future improvements: (i'll leave these as an exercise for you, dear reader) > > a) multiple rounds of hashes, feed the results of one hash right back into the process and do it again. (I'm led to believe some of the banking industry uses MD5, but goes thru 8000 iterations of hashing. Probably why it takes 30 seconds to log onto my bank's slow website.) > > b) here's a fun one: keep some long block of text, but add a stored salt. all the salt indicates are the offset from the beginning,middle and end of the text where to truncate the text and where to put the password. if anyone steals the users database, they will think the salt is literal and try pre and appending it. > > c) use WebDNAs ability to encrypt a template to hide the code you come up with that does your password magic. > > Thoughts, questions, suggestions? > > Brian B. Burton > > > > On Mar 19, 2014, at 8:02 PM, Stuart Tremain wrote: > >> Correction: >> >> [founditems] >> [ShowIf [_passwd]=[Decrypt seed=1234][unurl][DB_PASSWD][/UnURL][/Decrypt]] >> DATA FROM DB >> [/ShowIf] >> [/Founditems] >> >> >> >> Regards >> >> Stuart Tremain >> IDFK Web Developments >> AUSTRALIA >> webdna@idfk.com.au >> >> >> >> >> On 20 Mar 2014, at 11:57 am, Stuart Tremain wrote: >> >>> I am building a username/password system and want to encrypt the passwords >>> >>> However I have just realised that eqPASSWDdatarq=[url][url][ENCRYPT seed=1234][_passwd][/ENCRYPT][/URL][/URL] will not work due to not being able to get an encryption to ever be the same twice. >>> >>> What is the best way of dealing with this ? >>> >>> Govinda did post something a while ago where you would firstly do this: >>> >>> eqUSRNAMEdatarq=[_usrname] >>> >>> And then use a showif in the found items to find the matching encrypted password >>> >>> [founditems] >>> [ShowIf [_passwd]=[unurl][Decrypt seed=1234][DB_PASSWD][/Decrypt][/UnURL]] >>> DATA FROM DB >>> [/ShowIf] >>> [/Founditems] >>> >>> Is this the only way ? >>> >>> >>> Regards >>> >>> Stuart Tremain >>> IDFK Web Developments >>> AUSTRALIA >>> webdna@idfk.com.au >>> >>> >>> >>> >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> Bug Reporting: support@webdna.us >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> Bug Reporting: support@webdna.us >> > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > Bug Reporting: support@webdna.us > > -- Matthew A Perosi Corporate Consultant Mobile Marketing Expert Senior Web Developer SEO Analyst & Educator matt@psiprime.com Psi Prime, Inc. 323 Union Blvd. Totowa, NJ 07512 Direct: 888.872.0274 Fax: 888.488.5924 http://www.perosi.com "Psi Prime Inc, Matthew A Perosi "

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Using Plug-In while running 1.6.1 (1997) Help DebugLevel Content-type: text/html (1998) WebCat2b14MacPlugIn - [include] doesn't hide the search string (1997) I give up!! (1997) Can't Search field (1998) is sku a REQUIRED field on NT (1997) Updating checkboxes made easy !!! (1998) Extended [ConvertChars] (1997) Re2: Calculating multiple shipping... (1997) AppleScript/.db (was:FTP to WebStar) (2001) [lineitems] (2000) Version 4 (2000) Sorting Numbers (1997) Strange intermittent WebDNA problems Workaround (2008) Sum of Quantities (1997) Practice runs ? (1997) New Web Site Developers Database (1996) - selectable size to an ecommerce app? (2000) RE: [REPLACE] inside [FOUNDITEMS] (1998) Help! WebCat2 bug (1997)