Password Encryption for the DB

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Password Encryption for the DB

Steffan A. Cline
So,  with L9 and all the new cipher options available, what is the most
common choice for password hashing/encrypting before storing in a table?

It seems most of the php and other language solutions use md5 on insert to
the table.

What is your encryption of choice for this?




Thanks

Steffan

---------------------------------------------------------------
T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline  [hidden email]
http://www.ExecuChoice.net                 Phoenix, Arizona USA
---------------------------------------------------------------



#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Password Encryption for the DB

Rick Draper-2
Hi Steffan,

IMHO MD5 is not a good choice - particularly if no salt is being added.
This thread is worth a read.

http://www.lassotalk.com/Re-Looking-for-input-Authentication.lasso?230290

Very best regards,

Rick



#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Password Encryption for the DB

stevepiercy
In reply to this post by Steffan A. Cline
I'd use the highest level of encryption for hashing that is
available on your system, along with a salt, per Bil Corry's
presentation at LDC 2008(?) and several of his posts on this list.

     cipher_list(-digest)

RIPEMD160 is a preferred cipher for its balance of performance,
collision avoidance, and no patents.

Knop has some good stuff for hashing passwords with a salt in
its knop_user type.
https://github.com/knop-project/knop/blob/master/docs/knop_manual.md#knop_user

--steve


On 6/21/14 at 8:46 PM, [hidden email] (Steffan A. Cline) pronounced:

>So,  with L9 and all the new cipher options available, what is the most
>common choice for password hashing/encrypting before storing in a table?
>
>It seems most of the php and other language solutions use md5 on insert to
>the table.
>What is your encryption of choice for this?
>
>
>
>
>Thanks
>
>Steffan
>
>---------------------------------------------------------------
>T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
>Steffan A. Cline  [hidden email]
>http://www.ExecuChoice.net                 Phoenix, Arizona USA
>---------------------------------------------------------------
>
>
>
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Password Encryption for the DB

Bil Corry-3
What Rick and Steve said.  I'll add that MD5 is considered "broken" and is
more-or-less the same as storing it as plaintext.  Never use MD5 for
anything, ever.  If you see MD5 being used, it means the security of that
product is crap.

For passwords, you want to use a hash, which is a one-way transformation
that doesn't allow it to be reversed.  So even if someone grabs the hashes,
they can't reverse them to get the password.  If you use encryption, that
means you can decrypt the password, and so can any attacker who
successfully gets into your system.


- Bil


On Sun, Jun 22, 2014 at 7:14 AM, Steve Piercy - Web Site Builder <
[hidden email]> wrote:

> I'd use the highest level of encryption for hashing that is available on
> your system, along with a salt, per Bil Corry's presentation at LDC 2008(?)
> and several of his posts on this list.
>
>     cipher_list(-digest)
>
> RIPEMD160 is a preferred cipher for its balance of performance, collision
> avoidance, and no patents.
>
> Knop has some good stuff for hashing passwords with a salt in its
> knop_user type.
> https://github.com/knop-project/knop/blob/master/docs/
> knop_manual.md#knop_user
>
> --steve
>
>
> On 6/21/14 at 8:46 PM, [hidden email] (Steffan A. Cline) pronounced:
>
>
>  So,  with L9 and all the new cipher options available, what is the most
>> common choice for password hashing/encrypting before storing in a table?
>>
>> It seems most of the php and other language solutions use md5 on insert to
>> the table.
>> What is your encryption of choice for this?
>>
>>
>>
>>
>> Thanks
>>
>> Steffan
>>
>> ---------------------------------------------------------------
>> T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
>> Steffan A. Cline  [hidden email]
>> http://www.ExecuChoice.net                 Phoenix, Arizona USA
>> ---------------------------------------------------------------
>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Soquel, CA
> <[hidden email]>               <http://www.StevePiercy.com/>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Password Encryption for the DB

Steffan A. Cline
In reply to this post by stevepiercy
Odd. The cipher list is a bit off somehow.

cipher_list(-digest) => staticarray(MD2, MD4, MD5, SHA, SHA1, DSA-SHA,
DSA, RIPEMD160)


cipher_encrypt('Data', -cipher='RIPEMD160', -Key='1234567890123456¹) =>
FAILURE: -1 No ciphers available with this name

Am I missing something? The RC4 from the docs seems to work though.


Thanks

Steffan

---------------------------------------------------------------
T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline   [hidden email]
http://www.ExecuChoice.net                 Phoenix, Arizona USA
                 
---------------------------------------------------------------






On 6/21/14, 10:14 PM, "Steve Piercy - Web Site Builder"
<[hidden email]> wrote:

>I'd use the highest level of encryption for hashing that is
>available on your system, along with a salt, per Bil Corry's
>presentation at LDC 2008(?) and several of his posts on this list.
>
>     cipher_list(-digest)
>
>RIPEMD160 is a preferred cipher for its balance of performance,
>collision avoidance, and no patents.
>
>Knop has some good stuff for hashing passwords with a salt in
>its knop_user type.
>https://github.com/knop-project/knop/blob/master/docs/knop_manual.md#knop_
>user
>
>--steve
>
>
>On 6/21/14 at 8:46 PM, [hidden email] (Steffan A. Cline) pronounced:
>
>>So,  with L9 and all the new cipher options available, what is the most
>>common choice for password hashing/encrypting before storing in a table?
>>
>>It seems most of the php and other language solutions use md5 on insert
>>to
>>the table.
>>What is your encryption of choice for this?
>>
>>
>>
>>
>>Thanks
>>
>>Steffan
>>
>>---------------------------------------------------------------
>>T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
>>Steffan A. Cline  [hidden email]
>>http://www.ExecuChoice.net                 Phoenix, Arizona USA
>>---------------------------------------------------------------
>>
>>
>>
>>#############################################################
>>This message is sent to you because you are subscribed to
>>the mailing list Lasso [hidden email]
>>Official list archives available at http://www.lassotalk.com
>>To unsubscribe, E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>Steve Piercy              Website Builder              Soquel, CA
><[hidden email]>               <http://www.StevePiercy.com/>
>
>#############################################################
>This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Password Encryption for the DB

Steffan A. Cline
Disregard on this…

Pilsonism!



Thanks

Steffan





On 6/22/14, 1:08 AM, "Steffan A. Cline" <[hidden email]> wrote:

>Odd. The cipher list is a bit off somehow.
>
>cipher_list(-digest) => staticarray(MD2, MD4, MD5, SHA, SHA1, DSA-SHA,
>DSA, RIPEMD160)
>
>
>cipher_encrypt('Data', -cipher='RIPEMD160', -Key='1234567890123456¹) =>
>FAILURE: -1 No ciphers available with this name
>
>Am I missing something? The RC4 from the docs seems to work though.
>
>
>Thanks
>
>Steffan
>
>---------------------------------------------------------------
>T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
>Steffan A. Cline   [hidden email]
>http://www.ExecuChoice.net                 Phoenix, Arizona USA
>                  
>---------------------------------------------------------------
>
>
>
>
>
>
>On 6/21/14, 10:14 PM, "Steve Piercy - Web Site Builder"
><[hidden email]> wrote:
>
>>I'd use the highest level of encryption for hashing that is
>>available on your system, along with a salt, per Bil Corry's
>>presentation at LDC 2008(?) and several of his posts on this list.
>>
>>     cipher_list(-digest)
>>
>>RIPEMD160 is a preferred cipher for its balance of performance,
>>collision avoidance, and no patents.
>>
>>Knop has some good stuff for hashing passwords with a salt in
>>its knop_user type.
>>https://github.com/knop-project/knop/blob/master/docs/knop_manual.md#knop
>>_
>>user
>>
>>--steve
>>
>>
>>On 6/21/14 at 8:46 PM, [hidden email] (Steffan A. Cline) pronounced:
>>
>>>So,  with L9 and all the new cipher options available, what is the most
>>>common choice for password hashing/encrypting before storing in a table?
>>>
>>>It seems most of the php and other language solutions use md5 on insert
>>>to
>>>the table.
>>>What is your encryption of choice for this?
>>>
>>>
>>>
>>>
>>>Thanks
>>>
>>>Steffan
>>>
>>>---------------------------------------------------------------
>>>T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
>>>Steffan A. Cline  [hidden email]
>>>http://www.ExecuChoice.net                 Phoenix, Arizona USA
>>>---------------------------------------------------------------
>>>
>>>
>>>
>>>#############################################################
>>>This message is sent to you because you are subscribed to
>>>the mailing list Lasso [hidden email]
>>>Official list archives available at http://www.lassotalk.com
>>>To unsubscribe, E-mail to: <[hidden email]>
>>>Send administrative queries to  <[hidden email]>
>>
>>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>>Steve Piercy              Website Builder              Soquel, CA
>><[hidden email]>               <http://www.StevePiercy.com/>
>>
>>#############################################################
>>This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>>Official list archives available at http://www.lassotalk.com
>>To unsubscribe, E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>>
>
>
>#############################################################
>This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Password Encryption for the DB

stevepiercy
In reply to this post by Steffan A. Cline
Don't use cipher_encrypt because RIPEMD160 is a digest (hashing,
one-way) cipher.  Instead use:

     cipher_digest(#data, -digest='RIPEMD160')

Use an optional -hex parameter to return a hexadecimal string
instead of a default bytes type.

The term "encryption" is often used ambiguously, which can be
confusing.  I keep it straight in my head like so:

* An encrypted thing can be decrypted.
* I can digest hash browns, and they only go in one way.

--steve


On 6/22/14 at 1:08 AM, [hidden email] (Steffan A. Cline) pronounced:

>Odd. The cipher list is a bit off somehow.
>
>cipher_list(-digest) => staticarray(MD2, MD4, MD5, SHA, SHA1, DSA-SHA,
>DSA, RIPEMD160)
>
>
>cipher_encrypt('Data', -cipher='RIPEMD160', -Key='1234567890123456¹) =>
>FAILURE: -1 No ciphers available with this name
>
>Am I missing something? The RC4 from the docs seems to work though.
>
>
>Thanks
>
>Steffan
>
>---------------------------------------------------------------
>T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
>Steffan A. Cline              [hidden email]
>http://www.ExecuChoice.net                 Phoenix, Arizona USA
>
>---------------------------------------------------------------
>
>
>
>
>
>
>On 6/21/14, 10:14 PM, "Steve Piercy - Web Site Builder"
><[hidden email]> wrote:
>
>>I'd use the highest level of encryption for hashing that is
>>available on your system, along with a salt, per Bil Corry's
>>presentation at LDC 2008(?) and several of his posts on this list.
>>
>>cipher_list(-digest)
>>
>>RIPEMD160 is a preferred cipher for its balance of performance,
>>collision avoidance, and no patents.
>>
>>Knop has some good stuff for hashing passwords with a salt in
>>its knop_user type.
>>https://github.com/knop-project/knop/blob/master/docs/knop_manual.md#knop_
>>user
>>
>>--steve
>>
>>
>>On 6/21/14 at 8:46 PM, [hidden email] (Steffan A. Cline) pronounced:
>>
>>>So,  with L9 and all the new cipher options available, what is the most
>>>common choice for password hashing/encrypting before storing in a table?
>>>
>>>It seems most of the php and other language solutions use md5 on insert
>>>to
>>>the table.
>>>What is your encryption of choice for this?
>>>
>>>
>>>
>>>
>>>Thanks
>>>
>>>Steffan
>>>
>>>---------------------------------------------------------------
>>>T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
>>>Steffan A. Cline  [hidden email]
>>>http://www.ExecuChoice.net                 Phoenix, Arizona USA
>>>---------------------------------------------------------------
>>>
>>>
>>>
>>>#############################################################
>>>This message is sent to you because you are subscribed to
>>>the mailing list Lasso [hidden email]
>>>Official list archives available at http://www.lassotalk.com
>>>To unsubscribe, E-mail to: <[hidden email]>
>>>Send administrative queries to  <[hidden email]>
>>
>>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>>Steve Piercy              Website Builder              Soquel, CA
>><[hidden email]>               <http://www.StevePiercy.com/>
>>
>>#############################################################
>>This message is sent to you because you are subscribed to
>>the mailing list Lasso [hidden email]
>>Official list archives available at http://www.lassotalk.com
>>To unsubscribe, E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>>
>
>
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>