This is impressive Alejandro! Thanks for the explanation Alexandre
> Le 22 févr. 2017 à 01:17, Alejandro Infante <alejandroinfant...@gmail.com> a > écrit : > > Hi! > If it help I’m using NaCl to do secure the passwords. You should not store > the passwords of your users, not even encrypted. > > For securing the passwords I use Sha-512 over the salted password. > ———————————— > User>>initialize > super initialize. > salt := (Nacl randomBytes: 16) > > User>>setPassword: aPassword > hashedPassword := Nacl hash: (salt , aPassword asByteArray) > > User>>validatePassword: aPassword > ^ hashedPassword asByteArray = (Nacl hash: salt asByteArray , aPassword > asByteArray) > ———————————— > > Notice that: > 1) I have a different salt for each password, if a bad guy want the > passwords he is going to need a different rainbow table for each user. > 2) I do not store the password. I do not even store the hash of the > plain password. > 3) Still I’m able to validate the password. > > * Note that I’m using Nacl>>randomBytes: to generate a > cryptographically safe random value. Here is not really necessary, BUT you > should use it if you are creating Session-IDs or Tokens. > > Encrypting the database is *tricky*. You not only have to encrypt the > database, but also secure the key. First you need to know how much security > you want: > 1) Be secure if someone hack into the user running pharo. > 3) Be secure if someone steal the server. > 4) Be secure if someone has physical access to the running server. (All > your keys are in RAM) > 2) Be secure if someone hack root. (I doubt anything is going to save > you here) > > For most projects/business (unless working with really sensitive data, such > as medical data) securing the OS (users and root) and encrypting the > hard-disk should be enough. Also do not forget to encrypt the connections. If > everything is on the same server just use https. But you may need more if you > use Load Balancers, multiple servers and databases. > > Cheers, > Alejandro > >> On Feb 21, 2017, at 9:11 AM, Mariano Martinez Peck <marianop...@gmail.com> >> wrote: >> >> As for single username/pass encryption (not the whole DB), and assuming you >> want two-way encrypt (that you want to decrypt), I have used both, Rijndael >> and Blowfish, both in combination with SpsSplitPasswordStore. >> >> Cheers, >> >>> On Tue, Feb 21, 2017 at 8:20 AM, Pierce Ng <pie...@samadhiweb.com> wrote: >>> On Mon, Feb 20, 2017 at 05:34:41AM -0800, sergio ruiz wrote: >>> > I have been tasked with throwing together a small web app that will hold >>> > the passwords to different projects for my company. >>> >>> Here is a collection for reference. If one of these is suitable you can >>> skip the >>> implementation and just deploy. >>> >>> http://opensourcepasswordmanager.com/ >>> >>> > - encrypt the entire database, so that if the machine was compromised >>> > physically, the data would be useless. >>> >>> The NativeBoost version of my SQLite library supports SQLcipher which adds >>> transparent full database encryption to SQLite. It is not in the UFFI >>> version >>> yet though. >>> >>> http://sqlcipher.net >>> >>> > - encrypt the username and password fields to facilitate the above, also. >>> >>> If you are already familiar with using crypto API like OpenSSL or NaCl then >>> Pharo's FFI is easy to get this done too. >>> >>> Pierce >>> >>> >> >> >> >> -- >> Mariano >> http://marianopeck.wordpress.com >
