RoyBaird
Posts: 115
|
| Posted: 12/30/2014, 7:08 AM |
|
I need some pointers on how to implement a solution for real password encryption.
I set the encryption type to CODE EXPRESSION and put the function I have loaded in a class at the end of my common.php file. Here is the expression Hashpassword(password). But that is what get into my table, not an encryption. Here is the main part of my encryption code:
* Hashes a plaintext password using the parameters defined. If provided, $pepper
* will be appended to the beginning of $password and $salt will be used in every hash
* iteration in various ways (depending on the hash method used).
* @static
* @param string $password Plaintext password to hash.
* @param string $salt A random sequence of bytes to add to the hash function.
* @param string $pepper Another random sequence of bytes to add an extra secret to the hash generation.
* @param string $algorithm Password hashing algorithm to use.
* @param int $keyLength The number of bytes to return.
* @param int $iterations The number of times to hash the text before returning the value.
* @return string Returns $keyLength bytes of hashed $password.
*/
public static function HashPassword($password, $salt, $pepper = null, $algorithm = self::ALGO_PBKDF2,
$keyLength = self::DEFAULT_KEY_LENGTH, $iterations = self::DEFAULT_ITERATIONS)
{
if(strlen(trim($pepper)) > 0)
$password = $pepper . $password;
I am sure others are needing the same help or they should need it when they wake up and change their password encryption.
_________________
Roy |
 |
 |
2tone
Posts: 20
|
| Posted: 01/18/2015, 10:13 AM |
|
I use md5 encryption for passwords
|
|
|
|
eratech
Posts: 513
|
| Posted: 01/20/2015, 2:52 AM |
|
Roy - try adding {}:
Hashpassword({password})
so CCS can insert the password into the code.
2tone - please don't use MD5. It is old, broken, and every possible value has already been pre-calculated for easy lookup. google for 'md5 lookup tables' and see.
Have a read of this to see *why* better hashing of passwords is needed (bcrypt is recommended and it is a strong hash and slow enough):
https://nakedsecurity.sophos.com/2013/11/20/serious-sec...sswords-safely/
For PHP 5.5+ there are bcrypt helper functions 'hash_password()' and 'verify_password()' but they need a slight change in the CCS password checking code:
http://security.stackexchange.com/questions/49319/is-a-...t-secure-enough
If you really want to make things better in one simple step, change the Project Settings > Security > Advanced > Code Expression to
hash("whirlpool", {password}.'fkl34t$#$FSfg')
(but change the random bit at the end) Yes, it is a common salt for all users. Agreed, not perfect, but much better than most methods and really simple. And doesn't break CCS.
Ok, late-in-the-day-rant-over.
Eric
_________________
CCS 3/4/5 ASP Classic, VB.NET, PHP
Melbourne, Victoria, Australia |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 02/03/2015, 5:37 PM |
|
What are your thoughts on using MD5 as a base and the further encrypt / de-crypt with CCEncryptString ?
_________________
Central Coast, NSW, Australia.
|
|
|
|
eratech
Posts: 513
|
| Posted: 02/03/2015, 8:26 PM |
|
Depends on its use - if it's for password storage then it's best to one-way hash it (SHAx etc) and never decrypt it. Just compare the hash with the hashed password (+salt etc)
For encrypting stuff that you do need to decrypt (say, address details or other personal stuff) then I'd look for a library that makes it easy to encrypt/decrypt.
I'll check the code for the CCEncryptString and get back to you (been a looooong time since I looked at it)
And if you are storing credit card details, I'd try to not store it at all instead of trying to encrypt it - move the risk off to the payment gateway provider or Paypal or something.
E
_________________
CCS 3/4/5 ASP Classic, VB.NET, PHP
Melbourne, Victoria, Australia |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 02/03/2015, 9:21 PM |
|
for passwords and when changing load existing hashed from DB and compare with hashed new password to prevent re-use current password.
No need to decrypt.
_________________
Central Coast, NSW, Australia.
|
|
|
|
|
