Re: [ENCRYPT seed=xxxxx] length
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 32295
interpreted = N
texte = To answer your second question, the standard way in Unix is to store theencrypted password only. Then when the user types in their password, the code encrypts it immediately and compares it to the encrypted one inthe database.That being said, it seems to me that you want to encrypt more than justtheir password, but allow the user to retrieve a lost password withoutyour intervention. This is usually done by having a lost passwordpage which creates a temporary password and e-mails it to the account onrecord. Then when the user reconnects (usually via an embedded link inthe e-mail), the system gives the user a chance to reset the password.However, choosing the seed value is tough. You cannot use a cart valuebecause it is too long; you could chose their zipcode, but then it wouldnot be unique. You could use a custom [ConvertChars] database whichwould encode the first 7 letters of their user-id as a number (think adatabase randomly generated initially to map each letter to 0-9). This way, the user would only need to remember their user-id. Or you couldstore their user-id in a cookie.Once you have a seed, you can encrypt all of the fields in the databaseexcept for user-id and optionally e-mail address (in case they forgettheir user-id too). But you could still create a page which would allowyou to decrypt the records, since you have physical access to the database. Tougher encryption that that is hard to deal with (andmanage)within any program, not just WebCat.If this is a very high security project or if you have access to Netware5.x, you can use a Client Certificate, which is a cryptographicallysecure method of identifying users. Thawte has a product called StrongExtranet ($1000/yr for up to 10,000 users) which allows you to managea PKI infrastructure using their software. It is still difficult to doenterprise PKI, even with Thawte actually generating the certificates.Even getting a cert is tough going for the novice end user. I am currently experimenting with Netware Certificate Server 2.0 and issuing my own certificates, but I am always happiest at the bleeding edge.HTHJohn PeacockDerek C. wrote:> > Couple questions...> > first, is there a maximum length I can use as a seed for [ENCRYPT]?> > second, we are building a customer database to allow customers to log> in, but this is NOT a web catalog security based system, what I am> wondering is, has anyone come up with a good method of encrypting> sensitive information based on some of the customer information so> that a) the seed is dynamic for each customer and b) the seed does> NOT require the customer to log in (this is so if they forget their> password, we can retreive it without knowing their password)> > thanx,> Derek> --> > Derek Chauran> Web Developer, Dark Horse Comics> derekc@darkhorse.com> http://www.darkhorse.com-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list
.To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/
Associated Messages, from the most recent to the oldest:
To answer your second question, the standard way in Unix is to store theencrypted password only. Then when the user types in their password, the code encrypts it immediately and compares it to the encrypted one inthe database.That being said, it seems to me that you want to encrypt more than justtheir password, but allow the user to retrieve a lost password withoutyour intervention. This is usually done by having a lost passwordpage which creates a temporary password and e-mails it to the account onrecord. Then when the user reconnects (usually via an embedded link inthe e-mail), the system gives the user a chance to reset the password.However, choosing the seed value is tough. You cannot use a cart valuebecause it is too long; you could chose their zipcode, but then it wouldnot be unique. You could use a custom [convertchars] database whichwould encode the first 7 letters of their user-id as a number (think adatabase randomly generated initially to map each letter to 0-9). This way, the user would only need to remember their user-id. Or you couldstore their user-id in a cookie.Once you have a seed, you can encrypt all of the fields in the databaseexcept for user-id and optionally e-mail address (in case they forgettheir user-id too). But you could still create a page which would allowyou to decrypt the records, since you have physical access to the database. Tougher encryption that that is hard to deal with (andmanage)within any program, not just WebCat.If this is a very high security project or if you have access to Netware5.x, you can use a Client Certificate, which is a cryptographicallysecure method of identifying users. Thawte has a product called StrongExtranet ($1000/yr for up to 10,000 users) which allows you to managea PKI infrastructure using their software. It is still difficult to doenterprise PKI, even with Thawte actually generating the certificates.Even getting a cert is tough going for the novice end user. I am currently experimenting with Netware Certificate Server 2.0 and issuing my own certificates, but I am always happiest at the bleeding edge.HTHJohn PeacockDerek C. wrote:> > Couple questions...> > first, is there a maximum length I can use as a seed for [encrypt]?> > second, we are building a customer database to allow customers to log> in, but this is NOT a web catalog security based system, what I am> wondering is, has anyone come up with a good method of encrypting> sensitive information based on some of the customer information so> that a) the seed is dynamic for each customer and b) the seed does> NOT require the customer to log in (this is so if they forget their> password, we can retreive it without knowing their password)> > thanx,> Derek> --> > Derek Chauran> Web Developer, Dark Horse Comics> derekc@darkhorse.com> http://www.darkhorse.com-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/
John Peacock
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
setitems, one more thing (1997)
[Announce] Newest Commerce Site based on WebCatalog (1997)
[WebDNA] Retrieving a PDF from an email (2008)
European Dates (1998)
Re[3]: Problem with new formvariables (2000)
FTP FOLDER PERMISSIONS (2004)
no [search] with NT (1997)
Not reading code (1997)
Converting DOS database (2000)
RE: Multiple Stores and WebCatalog Prefs (1997)
[WriteFile] problems (1997)
FW: weird problem (2004)
Help! WebCat2 bug (1997)
[TaxableTotal] - not working with AOL and IE (1997)
PSC recommends what date format yr 2000??? (1997)
[AppendFile] problem (WebCat2b13 Mac .acgi) (1997)
More on the email templates (1997)
Printing a final order (1997)
searchable list archive (1997)
retain raw [cart] submitted value (2004)