New topic: What is the best method to store a password ?
<http://forums.realsoftware.com/viewtopic.php?t=43321> Page 1 of 1 [ 15 posts ] Previous topic | Next topic Author Message mrleewhitehead Post subject: What is the best method to store a password ?Posted: Sat Mar 24, 2012 11:43 am Joined: Thu Mar 01, 2012 5:49 pm Posts: 19 Hi, Please could anyone help. I have created 3 windows ( window1, window2 & window3 ). The idea is to enter a password into a textfield in window 1 that is then stored within the program. To gain access to window2 the same password that was entered into window1's textfiled must be used. Window 2 will now close & window 3 open. My question is which is the best way to go about this ? Is it best to store the password in a database or is it possible to do this a simpler way ? Lee Top charonn0 Post subject: Re: What is the best method to store a password ?Posted: Sat Mar 24, 2012 12:04 pm Joined: Mon Apr 02, 2007 2:08 am Posts: 705 Location: San Francisco, CA, USA The safest way to store a password is to not store it at all. Instead, store the hash of the password* (RS has MD5 built in, which should be adequate, however you should use something stronger like SHA1 if possible.) The hash will never change provided the same data (salt + password) is used, so you can compare the hash you stored earlier to the hash of the password the user just entered to determine whether they match, but without requiring you to store the password in a recoverable format. Storing only the hash also has the benefit of protecting passwords even if an attacker breaks in and steals the stored hash: it's not possible to reverse a hash operation to get the original data. Once it's hashed, you can store it just about anywhere. *Due to the widespread availability of quality rainbow tables, it is recommended that you salt your hashes well. _________________ Boredom Software Top mrleewhitehead Post subject: Re: What is the best method to store a password ?Posted: Sat Mar 24, 2012 12:26 pm Joined: Thu Mar 01, 2012 5:49 pm Posts: 19 Is it best to store the hash in a database or is there a different way to do this ? Lee Top charonn0 Post subject: Re: What is the best method to store a password ?Posted: Sat Mar 24, 2012 12:51 pm Joined: Mon Apr 02, 2007 2:08 am Posts: 705 Location: San Francisco, CA, USA That largely depends on your particular application. If it already has a database then I don't see why you shouldn't use it to store account details. If it doesn't then it's probably overkill to create a database solely for login details. If you need a way to serialize data to a file without a database then look at the JSONItem class. The JSONItem has a ToString method which returns the string representation of the JSONItem. Save this string to a text file. You can then re-create the JSONItem simply by reading the text file and passing the read data into the JSONItem constructor. _________________ Boredom Software Top mrleewhitehead Post subject: Re: What is the best method to store a password ?Posted: Sat Mar 24, 2012 1:24 pm Joined: Thu Mar 01, 2012 5:49 pm Posts: 19 Thanks for your help. I understand it better now. Cheers, Lee Top basestring Post subject: Re: What is the best method to store a password ?Posted: Sat Mar 24, 2012 8:19 pm Joined: Sat May 28, 2011 11:28 pm Posts: 93 Location: Beijing China You could also Create an encryption on your password. like getting the ascii code of the Character and do some calculations with that number and than store those numbers in a string and separate them with a "-" like 45657-456579-456-456-6846 _________________ For great Music got to my podcast Website!!! http://podcast.1945mf-china.com Top charonn0 Post subject: Re: What is the best method to store a password ?Posted: Sat Mar 24, 2012 10:59 pm Joined: Mon Apr 02, 2007 2:08 am Posts: 705 Location: San Francisco, CA, USA Why do all that when there are cryptographically strong, freely useable hashing algorithms? _________________ Boredom Software Top Thom McGrath Post subject: Re: What is the best method to store a password ?Posted: Sun Mar 25, 2012 8:07 am Site Admin Joined: Tue May 06, 2008 1:07 pm Posts: 1054 Location: Greater Hartford Area, CT basestring wrote:You could also Create an encryption on your password. like getting the ascii code of the Character and do some calculations with that number and than store those numbers in a string and separate them with a "-" like 45657-456579-456-456-6846 I think that's a terrible idea. There's no way you'll be able to create something even close to as strong as "real" cryptography or hashing. _________________ Thom McGrath - @tekcor Web Framework Architect, Real Software, Inc. Top lenpartico Post subject: Re: What is the best method to store a password ?Posted: Sun Mar 25, 2012 8:34 am Joined: Fri Sep 30, 2005 10:49 pm Posts: 424 Thom McGrath wrote:basestring wrote:You could also Create an encryption on your password. like getting the ascii code of the Character and do some calculations with that number and than store those numbers in a string and separate them with a "-" like 45657-456579-456-456-6846 I think that's a terrible idea. There's no way you'll be able to create something even close to as strong as "real" cryptography or hashing. If the user forgets his/her password could it be retrieved if "real" cryptography or hashing was used? With the customized encryption method as described above it can. Top Thom McGrath Post subject: Re: What is the best method to store a password ?Posted: Sun Mar 25, 2012 8:46 am Site Admin Joined: Tue May 06, 2008 1:07 pm Posts: 1054 Location: Greater Hartford Area, CT lenpartico wrote:If the user forgets his/her password could it be retrieved if "real" cryptography or hashing was used? With the customized encryption method as described above it can. That is precisely why it is a terrible idea. If you can decrypt it, so can somebody who has stolen your database. The goal is to make the passwords as unretrievable as possible. _________________ Thom McGrath - @tekcor Web Framework Architect, Real Software, Inc. Top NaNdummy Post subject: Re: What is the best method to store a password ?Posted: Mon Mar 26, 2012 5:30 am Joined: Thu Dec 01, 2011 2:13 pm Posts: 126 I use anything. Adding x to every Ascii-Code (Code:Chr(Asc(MySymbol)+x)), an encryption and change it randomly (using a random class with the seed of the PC-serial number, for example) _________________ Mac OS X 10.3-10.7 Windows 2000 (I know it sucks) Windows Server 2007 You want a bunch of new classes and WebStyles? http://www.webstyleplugin.tk/ Folderitem is too hard? File Bin Class Top arthofer Post subject: Re: What is the best method to store a password ?Posted: Mon Mar 26, 2012 6:16 am Joined: Tue Feb 14, 2012 5:39 am Posts: 43 Location: Austria Thats still a terrible idea. If you want to recover passwords, everything without public key cryptography is going to punch a big hole into your security concept. I would suggest you 3 solutions: 1) The password may not be reset (saved as salted hash) 2) BAD IDEA - The password reset may be issued by a hard-coded master password (both saved as salted hash, but if you enter the master password, the user may enter a new one) 3) The password my be retrieved via RSA public key cryptography _________________ Thomas Arthofer Top Thom McGrath Post subject: Re: What is the best method to store a password ?Posted: Mon Mar 26, 2012 6:27 am Site Admin Joined: Tue May 06, 2008 1:07 pm Posts: 1054 Location: Greater Hartford Area, CT NaNdummy wrote:I use anything. Adding x to every Ascii-Code (Code:Chr(Asc(MySymbol)+x)), an encryption and change it randomly (using a random class with the seed of the PC-serial number, for example) I hope I'm misunderstanding you. While a random increment produces a garbage string - that's very good - because it is random you'll never produce the same garbage string again which makes it useless for password validation. Developers, if you are storing passwords, please take my advice. I'm not going to claim to be the expert of experts, but this stuff is my job. Don't even attempt to roll your own until you understand how your data will be attacked. There are three common ways: 1) Rainbow Tables. These are databases of hashes for known passwords. If you're storing a simple MD5 hash, any password 6 characters or less is already known. 7 and 8 character passwords are coming up fast. Salting your MD5 is the best bet for RB developers, as SHA algorithms are not readily available. 2) Guessing / Common Passwords. Download a list of the most common passwords, and don't allow them to be used. Enforce intelligent rules such as making sure the password does not contain the username. 3) Brute Force. This is the hardest to fight. First of all, require passwords to be long. A 12 character password is nearly force-proof, but won't be forever. Websites which have maximum password lengths piss me off terribly, as that means I can't pick a good password. To truly protect a password from brute force attacks, use PBKDF2 hashing. This solves issue #1 as well. But it is easier said than done as there is no RB implemtation available. Though it's easy to do if you have an SHA256-HMAC routine. I'm not trying to give anybody a hard time about their schemes, well... at least not without good reason. This stuff is extremely important. Taking the issue likely is a huge problem, look at the Sony PSN issue from last year. Don't count on security through obscurity, take the time to do it right. It's better than being sorry later. _________________ Thom McGrath - @tekcor Web Framework Architect, Real Software, Inc. Top arthofer Post subject: Re: What is the best method to store a password ?Posted: Mon Mar 26, 2012 6:59 am Joined: Tue Feb 14, 2012 5:39 am Posts: 43 Location: Austria Also in addition, i ran a small test how to read out the passwords. So, if a bad guy finds out that you use chr()+x as "hashing", he may brute force all 255 possible combinations of the ascii table and then eliminate all passwords which contain unuseable chars (line feed, end of file and so on). With that idea, i've been able to reduce the number of possible passwords down from 255 to 21 possible passwords in my test case with a pretty good password. _________________ Thomas Arthofer Top NaNdummy Post subject: Re: What is the best method to store a password ?Posted: Mon Mar 26, 2012 8:11 am Joined: Thu Dec 01, 2011 2:13 pm Posts: 126 I never said that Chr:Asc would be hashing! I use that PLUS hashing! And, I take the Random (note: seed is still serial number) for things like demo verification files. So hackers cant just upload a file to a hosting platform which has 30 days left. This file will only work on his computer. _________________ Mac OS X 10.3-10.7 Windows 2000 (I know it sucks) Windows Server 2007 You want a bunch of new classes and WebStyles? http://www.webstyleplugin.tk/ Folderitem is too hard? File Bin Class Top Display posts from previous: All posts1 day7 days2 weeks1 month3 months6 months1 year Sort by AuthorPost timeSubject AscendingDescending Page 1 of 1 [ 15 posts ] -- Over 1500 classes with 29000 functions in one REALbasic plug-in collection. The Monkeybread Software Realbasic Plugin v9.3. http://www.monkeybreadsoftware.de/realbasic/plugins.shtml [email protected]
