Re: [ENCRYPT seed=xxxxx] length

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 32295
interpreted = N
texte = To answer your second question, the standard way in Unix is to store the encrypted password only. Then when the user types in their password, the code encrypts it immediately and compares it to the encrypted one in the database.That being said, it seems to me that you want to encrypt more than just their password, but allow the user to retrieve a lost password without your intervention. This is usually done by having a lost password page which creates a temporary password and e-mails it to the account on record. Then when the user reconnects (usually via an embedded link in the e-mail), the system gives the user a chance to reset the password.However, choosing the seed value is tough. You cannot use a cart value because it is too long; you could chose their zipcode, but then it would not be unique. You could use a custom [ConvertChars] database which would encode the first 7 letters of their user-id as a number (think a database randomly generated initially to map each letter to 0-9). This way, the user would only need to remember their user-id. Or you could store their user-id in a cookie.Once you have a seed, you can encrypt all of the fields in the database except for user-id and optionally e-mail address (in case they forget their user-id too). But you could still create a page which would allow you to decrypt the records, since you have physical access to the database. Tougher encryption that that is hard to deal with (and manage) within any program, not just WebCat.If this is a very high security project or if you have access to Netware 5.x, you can use a Client Certificate, which is a cryptographically secure method of identifying users. Thawte has a product called Strong Extranet ($1000/yr for up to 10,000 users) which allows you to manage a PKI infrastructure using their software. It is still difficult to do enterprise PKI, even with Thawte actually generating the certificates. Even getting a cert is tough going for the novice end user. I am currently experimenting with Netware Certificate Server 2.0 and issuing my own certificates, but I am always happiest at the bleeding edge.HTHJohn PeacockDerek C. wrote: > > Couple questions... > > first, is there a maximum length I can use as a seed for [ENCRYPT]? > > second, we are building a customer database to allow customers to log > in, but this is NOT a web catalog security based system, what I am > wondering is, has anyone come up with a good method of encrypting > sensitive information based on some of the customer information so > that a) the seed is dynamic for each customer and b) the seed does > NOT require the customer to log in (this is so if they forget their > password, we can retreive it without knowing their password) > > thanx, > Derek > -- > > Derek Chauran > Web Developer, Dark Horse Comics > derekc@darkhorse.com > http://www.darkhorse.com------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [ENCRYPT seed=xxxxx] length (John Peacock 2000)
  2. Re: [ENCRYPT seed=xxxxx] length (Kenneth Grome 2000)
  3. [ENCRYPT seed=xxxxx] length (Derek C. 2000)
To answer your second question, the standard way in Unix is to store the encrypted password only. Then when the user types in their password, the code encrypts it immediately and compares it to the encrypted one in the database.That being said, it seems to me that you want to encrypt more than just their password, but allow the user to retrieve a lost password without your intervention. This is usually done by having a lost password page which creates a temporary password and e-mails it to the account on record. Then when the user reconnects (usually via an embedded link in the e-mail), the system gives the user a chance to reset the password.However, choosing the seed value is tough. You cannot use a cart value because it is too long; you could chose their zipcode, but then it would not be unique. You could use a custom [convertchars] database which would encode the first 7 letters of their user-id as a number (think a database randomly generated initially to map each letter to 0-9). This way, the user would only need to remember their user-id. Or you could store their user-id in a cookie.Once you have a seed, you can encrypt all of the fields in the database except for user-id and optionally e-mail address (in case they forget their user-id too). But you could still create a page which would allow you to decrypt the records, since you have physical access to the database. Tougher encryption that that is hard to deal with (and manage) within any program, not just WebCat.If this is a very high security project or if you have access to Netware 5.x, you can use a Client Certificate, which is a cryptographically secure method of identifying users. Thawte has a product called Strong Extranet ($1000/yr for up to 10,000 users) which allows you to manage a PKI infrastructure using their software. It is still difficult to do enterprise PKI, even with Thawte actually generating the certificates. Even getting a cert is tough going for the novice end user. I am currently experimenting with Netware Certificate Server 2.0 and issuing my own certificates, but I am always happiest at the bleeding edge.HTHJohn PeacockDerek C. wrote: > > Couple questions... > > first, is there a maximum length I can use as a seed for [encrypt]? > > second, we are building a customer database to allow customers to log > in, but this is NOT a web catalog security based system, what I am > wondering is, has anyone come up with a good method of encrypting > sensitive information based on some of the customer information so > that a) the seed is dynamic for each customer and b) the seed does > NOT require the customer to log in (this is so if they forget their > password, we can retreive it without knowing their password) > > thanx, > Derek > -- > > Derek Chauran > Web Developer, Dark Horse Comics > derekc@darkhorse.com > http://www.darkhorse.com------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ John Peacock

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

setitems, one more thing (1997) [Announce] Newest Commerce Site based on WebCatalog (1997) [WebDNA] Retrieving a PDF from an email (2008) European Dates (1998) Re[3]: Problem with new formvariables (2000) FTP FOLDER PERMISSIONS (2004) no [search] with NT (1997) Not reading code (1997) Converting DOS database (2000) RE: Multiple Stores and WebCatalog Prefs (1997) [WriteFile] problems (1997) FW: weird problem (2004) Help! WebCat2 bug (1997) [TaxableTotal] - not working with AOL and IE (1997) PSC recommends what date format yr 2000??? (1997) [AppendFile] problem (WebCat2b13 Mac .acgi) (1997) More on the email templates (1997) Printing a final order (1997) searchable list archive (1997) retain raw [cart] submitted value (2004)