Passwort encryption on Mysql server
Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller
Passwort encryption on Mysql server
Hello guys!
I am working on a app that requires a login system and i got everything done with the passwort not
encrypted. I know it is a no-go to put unencryted passwords in a mysql database, so i wanted to hear your
solutions to this problem. How is it possible to hash the passwort and store it correctly?
regards, jakob
I am working on a app that requires a login system and i got everything done with the passwort not
encrypted. I know it is a no-go to put unencryted passwords in a mysql database, so i wanted to hear your
solutions to this problem. How is it possible to hash the passwort and store it correctly?
regards, jakob
Re: Passwort encryption on Mysql server
(same encrypting needs soon...)
Have you followed any of these examples so far ?
http://livecode.wikia.com/wiki/Encrypt
with what results
Have you followed any of these examples so far ?
http://livecode.wikia.com/wiki/Encrypt
with what results
-
- Livecode Opensource Backer
- Posts: 366
- Joined: Tue Apr 10, 2012 9:18 am
Re: Passwort encryption on Mysql server
Are you accessing the MySQL database directly, or going through a middleware such as Livecode Server or PHP?
Someone just posted a nice looking middleware example for MySQL based on Livecode Server that includes authentication:
http://forums.livecode.com/viewtopic.ph ... 35#p163035
I have not tried it yet, so I cannot speak to how well it is set up, but it might at least be a starting place.
Someone just posted a nice looking middleware example for MySQL based on Livecode Server that includes authentication:
http://forums.livecode.com/viewtopic.ph ... 35#p163035
I have not tried it yet, so I cannot speak to how well it is set up, but it might at least be a starting place.
Re: Passwort encryption on Mysql server
Unencrypted passwords are not safe if someone get access to administrator privileges, because he would read all passwords and he could act as other users, creating a lot of problems.
If you store password encrypted, an administrator can't act as another user, because he reads only crypted password and can't know the real passwords.
However MySQL passwords are stored in the user table of the mysql database and are encrypted using it's own algorithm.
If you stored other strings as password for other purposes, you can use also the one the mysql crypt functions: https://dev.mysql.com/doc/refman/5.5/en ... tions.html
If you store password encrypted, an administrator can't act as another user, because he reads only crypted password and can't know the real passwords.
However MySQL passwords are stored in the user table of the mysql database and are encrypted using it's own algorithm.
If you stored other strings as password for other purposes, you can use also the one the mysql crypt functions: https://dev.mysql.com/doc/refman/5.5/en ... tions.html
Livecode Wiki: http://livecode.wikia.com
My blog: https://livecode-blogger.blogspot.com
To post code use this: http://tinyurl.com/ogp6d5w
My blog: https://livecode-blogger.blogspot.com
To post code use this: http://tinyurl.com/ogp6d5w
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Passwort encryption on Mysql server
Encryption is not generally considered sufficient for passwords. Anything that can be encrypted can be decrypted. A good rule of thumb is that if you use any site that allows password recovery, stop using it. Passwords should be resettable, but unrecoverable,
With passwords we want a one-way hash, ideally a double hash, with salt.
Dr. Peter Brett, of the LC team at the time, offered up an example of salted double-hash here:
https://www.mail-archive.com/use-liveco ... 82876.html
Note that SHA1 is no longer state-of-the art, so sha1Digest should not be used in new code where cryptographic-quality hashing is needed. LC now offers the messageDigest function to replace the older hash functions, which allows arguments of SHA2 and even SHA3, both of which are considered acceptable today (though SHA3 will likely have more shelf life).
With passwords we want a one-way hash, ideally a double hash, with salt.
Dr. Peter Brett, of the LC team at the time, offered up an example of salted double-hash here:
https://www.mail-archive.com/use-liveco ... 82876.html
Note that SHA1 is no longer state-of-the art, so sha1Digest should not be used in new code where cryptographic-quality hashing is needed. LC now offers the messageDigest function to replace the older hash functions, which allows arguments of SHA2 and even SHA3, both of which are considered acceptable today (though SHA3 will likely have more shelf life).
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Passwort encryption on Mysql server
Sorry if the question is dumb :
Im about to write script for both goal, encrypt URL params...+ encrypt PW in DBs.
Does Encrypting URL to protect parameters uses the same LC function as encripting Password or other datas.
If they are two distinct functions, than one would actaully use encryptions in script such as with a GET or POST requests twice, in the case of an included PW transfer.
... and even three times according to your Post !
Im about to write script for both goal, encrypt URL params...+ encrypt PW in DBs.
Does Encrypting URL to protect parameters uses the same LC function as encripting Password or other datas.
If they are two distinct functions, than one would actaully use encryptions in script such as with a GET or POST requests twice, in the case of an included PW transfer.
... and even three times according to your Post !
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Passwort encryption on Mysql server
Rule #1 for appsec: don't roll your own security.
SSL solves this problem (though for other reasons I'd use POST rather than GET for sending data to the server). And with DNS under constant attack HTTPS is additionally valuable so your users can know they've arrived at the site they intended to.
SSL certs are free these days, thanks to the Let's Encrypt project:
https://letsencrypt.org/
SSL solves this problem (though for other reasons I'd use POST rather than GET for sending data to the server). And with DNS under constant attack HTTPS is additionally valuable so your users can know they've arrived at the site they intended to.
SSL certs are free these days, thanks to the Let's Encrypt project:
https://letsencrypt.org/
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Passwort encryption on Mysql server
In fact I m already using Https...
But on top of this I was told to encrypt all url params for queries...
But on top of this I was told to encrypt all url params for queries...
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Passwort encryption on Mysql server
Wouldn't hurt I suppose, but why GET over PUT for login?
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Passwort encryption on Mysql server
True, in fact I was refering to DB queries - once logged...and at the same time PW/USER encryption too
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Passwort encryption on Mysql server
One benefit of using POST instead of GET is that the query string sent with GET is recorded in the access logs, creating an additional security exposure when those strings contain secrets.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Passwort encryption on Mysql server
Thanks so much,
I m really new - and selflearning - about this kind of Requests over the Web so thats valuable info to me !
!
I m really new - and selflearning - about this kind of Requests over the Web so thats valuable info to me !
!
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Passwort encryption on Mysql server
Writing software is hard enough, but writing client-server apps is super-hard because you not only need to think of all the ways a user might misuse the app, but how the bad guys might misuse your server.
I have a friend who's been in the business for decades but he's burning out from having to deal with all the security overhead. It's a much more dangerous online world than it was 20 years ago.
But it's all learnable if you're patient and eager to try new things. It helps if you also enjoy coffee.
What OS is your server running? And is it a shared host or VPS?
PS: Self-learning is the best learning. It's the only learning, really: whatever you learn in school is just a foundation, most interesting professions these days require life-long Self-learning anyway. It's a good habit to build.
I have a friend who's been in the business for decades but he's burning out from having to deal with all the security overhead. It's a much more dangerous online world than it was 20 years ago.
But it's all learnable if you're patient and eager to try new things. It helps if you also enjoy coffee.
What OS is your server running? And is it a shared host or VPS?
PS: Self-learning is the best learning. It's the only learning, really: whatever you learn in school is just a foundation, most interesting professions these days require life-long Self-learning anyway. It's a good habit to build.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn