Passwort encryption on Mysql server

LiveCode is the premier environment for creating multi-platform solutions for all major operating systems - Windows, Mac OS X, Linux, the Web, Server environments and Mobile platforms. Brand new to LiveCode? Welcome!

Moderators: heatherlaine, Klaus, FourthWorld, robinmiller, kevinmiller

Post Reply
prorobot
Posts: 2
Joined: Fri Jan 19, 2018 11:25 am

Passwort encryption on Mysql server

Post by prorobot » Wed Jan 24, 2018 8:53 am

Hello guys!
I am working on a app that requires a login system and i got everything done with the passwort not
encrypted. I know it is a no-go to put unencryted passwords in a mysql database, so i wanted to hear your
solutions to this problem. How is it possible to hash the passwort and store it correctly?

regards, jakob :D

teriibi
Posts: 252
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Passwort encryption on Mysql server

Post by teriibi » Wed Jan 24, 2018 1:08 pm

(same encrypting needs soon...) :roll:
Have you followed any of these examples so far ?
http://livecode.wikia.com/wiki/Encrypt

with what results :idea:

ghettocottage
Livecode Opensource Backer
Livecode Opensource Backer
Posts: 250
Joined: Tue Apr 10, 2012 9:18 am

Re: Passwort encryption on Mysql server

Post by ghettocottage » Wed Jan 24, 2018 5:48 pm

Are you accessing the MySQL database directly, or going through a middleware such as Livecode Server or PHP?

Someone just posted a nice looking middleware example for MySQL based on Livecode Server that includes authentication:
http://forums.livecode.com/viewtopic.ph ... 35#p163035

I have not tried it yet, so I cannot speak to how well it is set up, but it might at least be a starting place.

MaxV
Posts: 1488
Joined: Tue May 28, 2013 2:20 pm
Location: Italy
Contact:

Re: Passwort encryption on Mysql server

Post by MaxV » Wed Jan 24, 2018 6:10 pm

Unencrypted passwords are not safe if someone get access to administrator privileges, because he would read all passwords and he could act as other users, creating a lot of problems.
If you store password encrypted, an administrator can't act as another user, because he reads only crypted password and can't know the real passwords.

However MySQL passwords are stored in the user table of the mysql database and are encrypted using it's own algorithm.

If you stored other strings as password for other purposes, you can use also the one the mysql crypt functions: https://dev.mysql.com/doc/refman/5.5/en ... tions.html
Livecode Wiki: http://livecode.wikia.com
My blog: http://livecodeitalia.blogspot.it
To post code use this: http://tinyurl.com/ogp6d5w

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 5895
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Passwort encryption on Mysql server

Post by FourthWorld » Wed Jan 24, 2018 8:02 pm

Encryption is not generally considered sufficient for passwords. Anything that can be encrypted can be decrypted. A good rule of thumb is that if you use any site that allows password recovery, stop using it. Passwords should be resettable, but unrecoverable,

With passwords we want a one-way hash, ideally a double hash, with salt.

Dr. Peter Brett, of the LC team at the time, offered up an example of salted double-hash here:
https://www.mail-archive.com/use-liveco ... 82876.html

Note that SHA1 is no longer state-of-the art, so sha1Digest should not be used in new code where cryptographic-quality hashing is needed. LC now offers the messageDigest function to replace the older hash functions, which allows arguments of SHA2 and even SHA3, both of which are considered acceptable today (though SHA3 will likely have more shelf life).
Richard Gaskin
Community volunteer LiveCode Community Liaison

LiveCode development, training, and consulting services: Fourth World Systems: http://FourthWorld.com
LiveCode User Group on Facebook : http://FaceBook.com/groups/LiveCodeUsers/

teriibi
Posts: 252
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Passwort encryption on Mysql server

Post by teriibi » Wed Jan 24, 2018 9:04 pm

Sorry if the question is dumb :

Im about to write script for both goal, encrypt URL params...+ encrypt PW in DBs.

Does Encrypting URL to protect parameters uses the same LC function as encripting Password or other datas.

If they are two distinct functions, than one would actaully use encryptions in script such as with a GET or POST requests twice, in the case of an included PW transfer.
... and even three times according to your Post !
:shock: :shock:

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 5895
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Passwort encryption on Mysql server

Post by FourthWorld » Thu Jan 25, 2018 12:32 am

Rule #1 for appsec: don't roll your own security.

SSL solves this problem (though for other reasons I'd use POST rather than GET for sending data to the server). And with DNS under constant attack HTTPS is additionally valuable so your users can know they've arrived at the site they intended to.

SSL certs are free these days, thanks to the Let's Encrypt project:
https://letsencrypt.org/
Richard Gaskin
Community volunteer LiveCode Community Liaison

LiveCode development, training, and consulting services: Fourth World Systems: http://FourthWorld.com
LiveCode User Group on Facebook : http://FaceBook.com/groups/LiveCodeUsers/

teriibi
Posts: 252
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Passwort encryption on Mysql server

Post by teriibi » Thu Jan 25, 2018 4:04 am

In fact I m already using Https...
But on top of this I was told to encrypt all url params for queries...

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 5895
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Passwort encryption on Mysql server

Post by FourthWorld » Thu Jan 25, 2018 4:47 am

teriibi wrote:
Thu Jan 25, 2018 4:04 am
In fact I m already using Https...
But on top of this I was told to encrypt all url params for queries...
Wouldn't hurt I suppose, but why GET over PUT for login?
Richard Gaskin
Community volunteer LiveCode Community Liaison

LiveCode development, training, and consulting services: Fourth World Systems: http://FourthWorld.com
LiveCode User Group on Facebook : http://FaceBook.com/groups/LiveCodeUsers/

teriibi
Posts: 252
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Passwort encryption on Mysql server

Post by teriibi » Thu Jan 25, 2018 6:04 pm

True, in fact I was refering to DB queries - once logged...and at the same time PW/USER encryption too

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 5895
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Passwort encryption on Mysql server

Post by FourthWorld » Wed Jan 31, 2018 4:24 pm

One benefit of using POST instead of GET is that the query string sent with GET is recorded in the access logs, creating an additional security exposure when those strings contain secrets.
Richard Gaskin
Community volunteer LiveCode Community Liaison

LiveCode development, training, and consulting services: Fourth World Systems: http://FourthWorld.com
LiveCode User Group on Facebook : http://FaceBook.com/groups/LiveCodeUsers/

teriibi
Posts: 252
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Passwort encryption on Mysql server

Post by teriibi » Wed Jan 31, 2018 11:45 pm

Thanks so much,
I m really new - and selflearning - about this kind of Requests over the Web so thats valuable info to me !
:wink: !

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 5895
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Passwort encryption on Mysql server

Post by FourthWorld » Thu Feb 01, 2018 12:11 am

Writing software is hard enough, but writing client-server apps is super-hard because you not only need to think of all the ways a user might misuse the app, but how the bad guys might misuse your server.

I have a friend who's been in the business for decades but he's burning out from having to deal with all the security overhead. It's a much more dangerous online world than it was 20 years ago.

But it's all learnable if you're patient and eager to try new things. It helps if you also enjoy coffee. :)

What OS is your server running? And is it a shared host or VPS?


PS: Self-learning is the best learning. It's the only learning, really: whatever you learn in school is just a foundation, most interesting professions these days require life-long Self-learning anyway. It's a good habit to build.
Richard Gaskin
Community volunteer LiveCode Community Liaison

LiveCode development, training, and consulting services: Fourth World Systems: http://FourthWorld.com
LiveCode User Group on Facebook : http://FaceBook.com/groups/LiveCodeUsers/

Post Reply

Return to “Getting Started with LiveCode - Experienced Developers”