Re: Secure storage of passwords or credit card data

2015-11-10 Thread Markus Ruggiero 
Thanks all who responded. I got some great ideas.

Just to make all of you feel better - I don't intend to store any CC numbers 
(just used it as an example) and I am fully aware that one should never ever 
store passwords but only some cryptographic hashes - and that was what I was 
looking for - ideas on how to accomplish this.

Again thank you all.
---markus---

> On 09.11.2015, at 17:53, Ramsey Gurley  wrote:
> 
> Hi Markus,
> 
> As others have mentioned, don’t store CC data unless you really really have 
> to. You make a system compromise so much worse if you’ve got CC stuff lying 
> around. That said, there’s ERXCryptoString and the ERPrototype by the same 
> name.
> 
> For password hashing, the new state of the art is Argon2. Google held a 
> password hashing competition and this is the winner.
> 
> https://password-hashing.net/
> 
> For java, it looks like you just compile the C and Runtime.exec() the thing. 
> I’ll be most interested in seeing this implemented in a browser (a new 
>  tag perhaps?) and/or ported to Javascript, because I’ve had a 
> change of heart about password hashes recently. Remember that there are three 
> factors to authentication,
> 
> Something only you are (biometrics)
> Something only you have (yubikey)
> Something only you know (password)
> 
> How is it something *only* you know if you’ve just uploaded it as plaintext 
> to some stranger's server on the www? In short, I think hashing should be 
> done client side. The salt could be generated using username+domain or 
> something. This would also distribute the workload of the slow hash out to 
> the clients, preventing the need to have some gigantic beefy password hashing 
> machine.
> 
> Ramsey
> 
> On Nov 4, 2015, at 2:40 AM, Markus Ruggiero  wrote:
> 
>> Folks,
>> 
>> another quick question: what are you using for secure storage of passowords 
>> and credit card data in a Wonder app? Is there anything in Wonder (probably 
>> there is, but it is not always easy to find things), or are you using other 
>> things/libs/code? Any code examples?
>> 
>> Thanks for any hint / pointer /example
>> ---markus---
>> 
>> ___
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com
>> 
>> This email sent to rgur...@smarthealth.com
> 


 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Secure storage of passwords or credit card data

2015-11-09 Thread Ramsey Gurley 
Hi Markus,

As others have mentioned, don’t store CC data unless you really really have to. 
You make a system compromise so much worse if you’ve got CC stuff lying around. 
That said, there’s ERXCryptoString and the ERPrototype by the same name.

For password hashing, the new state of the art is Argon2. Google held a 
password hashing competition and this is the winner.

https://password-hashing.net/

For java, it looks like you just compile the C and Runtime.exec() the thing. 
I’ll be most interested in seeing this implemented in a browser (a new 
 tag perhaps?) and/or ported to Javascript, because I’ve had a change 
of heart about password hashes recently. Remember that there are three factors 
to authentication,

Something only you are (biometrics)
Something only you have (yubikey)
Something only you know (password)

How is it something *only* you know if you’ve just uploaded it as plaintext to 
some stranger's server on the www? In short, I think hashing should be done 
client side. The salt could be generated using username+domain or something. 
This would also distribute the workload of the slow hash out to the clients, 
preventing the need to have some gigantic beefy password hashing machine.

Ramsey

On Nov 4, 2015, at 2:40 AM, Markus Ruggiero  wrote:

> Folks,
> 
> another quick question: what are you using for secure storage of passowords 
> and credit card data in a Wonder app? Is there anything in Wonder (probably 
> there is, but it is not always easy to find things), or are you using other 
> things/libs/code? Any code examples?
> 
> Thanks for any hint / pointer /example
> ---markus---
> 
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com
> 
> This email sent to rgur...@smarthealth.com


 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Secure storage of passwords or credit card data

2015-11-09 Thread Dennis Bliefernicht 
Hi everyone,

> On 08 Nov 2015, at 00:08, Mark Wardle  wrote:
> 
> I’m using http://www.jasypt.org 
Note that jasypt seems to use a default of "1000 times MD5" on the password, 
which depending on who you ask is not considered that secure anymore (still 
better than simple hashing though of course), especially as rainbow tables and 
GPUs help A LOT in cracking MD5 hashes more easily. Depending on the needs an 
attacker might even not try to crack the hash at all but just create a password 
that matches the same hash (collision). At least for new systems I would advise 
against using that for password protection as the algorithm can be parallelized 
very efficiently (which is what scrypt/bcrypt try to avoid on purpose to avoid 
being speed-cracked on GPUs for example).

Greetings
Dennis

--





-
Dennis Bliefernicht • Backend Development
T +49 40 357 3001 62
dennis.blieferni...@xyrality.com

XYRALITY GmbH • Friedensallee 290 • 22763 Hamburg
www.xyrality.com 
Registergericht: Hamburg HRB 115332
Geschäftsführer: Sven Ossenbrüggen
-

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Secure storage of passwords or credit card data

2015-11-07 Thread Mark Wardle 
I’m using http://www.jasypt.org 

I have a property such as encryptedPassword and then write code like this:

public void setPassword(String newPassword) {
BasicPasswordEncryptor passwordEncryptor = new 
BasicPasswordEncryptor();

setEncryptedPassword(passwordEncryptor.encryptPassword(newPassword));
}

public boolean canAuthenticateWithPassword(String password) {
BasicPasswordEncryptor passwordEncryptor = new 
BasicPasswordEncryptor();
try {
return passwordEncryptor.checkPassword(password, 
encryptedPassword());
}
catch (EncryptionOperationNotPossibleException e) {
log.error(e);
}
return false;
}

Mark

> On 4 Nov 2015, at 18:29, Ray Kiddy  wrote:
> 
> On Wed, 04 Nov 2015 10:40:49 +0100
> Markus Ruggiero  wrote:
> 
>> Folks,
>> 
>> another quick question: what are you using for secure storage of
>> passowords and credit card data in a Wonder app? Is there anything in
>> Wonder (probably there is, but it is not always easy to find things),
>> or are you using other things/libs/code? Any code examples?
>> 
>> Thanks for any hint / pointer /example
>> ---markus---
>> 
> 
> This is a good source of info on how to do some of these things:
> 
> https://www.owasp.org/index.php/Cheat_Sheets
> 
> See the cheat sheets on password storage, authentication, "forgot
> password", and many, many others. The ones that I have read tend to come
> with both a good explanation and code examples.
> 
> cheers - ray
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/mark%40wardle.org
> 
> This email sent to m...@wardle.org

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Secure storage of passwords or credit card data

2015-11-04 Thread Ray Kiddy 
On Wed, 04 Nov 2015 10:40:49 +0100
Markus Ruggiero  wrote:

> Folks,
> 
> another quick question: what are you using for secure storage of
> passowords and credit card data in a Wonder app? Is there anything in
> Wonder (probably there is, but it is not always easy to find things),
> or are you using other things/libs/code? Any code examples?
> 
> Thanks for any hint / pointer /example
> ---markus---
> 

This is a good source of info on how to do some of these things:

https://www.owasp.org/index.php/Cheat_Sheets

See the cheat sheets on password storage, authentication, "forgot
password", and many, many others. The ones that I have read tend to come
with both a good explanation and code examples.

cheers - ray
 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Secure storage of passwords or credit card data

2015-11-04 Thread Markus Ruggiero 
Folks,

another quick question: what are you using for secure storage of passowords and 
credit card data in a Wonder app? Is there anything in Wonder (probably there 
is, but it is not always easy to find things), or are you using other 
things/libs/code? Any code examples?

Thanks for any hint / pointer /example
---markus---

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Secure storage of passwords or credit card data

2015-11-04 Thread Fabian Peters 
Hi Markus,

To generate password hashes, there's er.extensions.crypting.Bcrypt. IMHO you 
shouldn't have to store credit card data these days, unless you work on a 
payment service provider system. Seamless integration is possible and payment 
service providers can also store customers' card data for you.

Fabian

> Am 04.11.2015 um 10:40 schrieb Markus Ruggiero :
> 
> Folks,
> 
> another quick question: what are you using for secure storage of passowords 
> and credit card data in a Wonder app? Is there anything in Wonder (probably 
> there is, but it is not always easy to find things), or are you using other 
> things/libs/code? Any code examples?
> 
> Thanks for any hint / pointer /example
> ---markus---
> 
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/lists.fabian%40e-lumo.com
> 
> This email sent to lists.fab...@e-lumo.com


 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Secure storage of passwords or credit card data

2015-11-04 Thread Dennis Bliefernicht 
Hi,

> On 04 Nov 2015, at 10:40, Markus Ruggiero  wrote:
> 
> another quick question: what are you using for secure storage of passowords 
> and credit card data in a Wonder app? Is there anything in Wonder (probably 
> there is, but it is not always easy to find things), or are you using other 
> things/libs/code? Any code examples?

For passwords: don't store them :-) We employ bcrypt to hash passwords and 
verify them later-on (which has actually an implementation in Wonder present 
somewhere in er.extensions but there are some common Java implementations as 
well) and never store any cleartext passwords; today password storage should 
never use anything but schemes that are specially crafted or recommended for 
password hashing (please don't go and just sha256-hash passwords). Be aware 
though that these are computationally more intense than "normal" hash functions 
(which is actually the whole point to avoid brute-forcing or precomputation). 
This basically comes down to:

final String cryptedPassword = BCrypt.hashpw(password, 
BCrypt.gensalt(BCRYPT_DIFFICULTY));

and

return BCrypt.checkpw(enteredPassword, cryptedPassword);

where cryptedPassword is everything you ever store. BCRYPT_DIFFICULTY is the 
difficulty factor which determines how hard the bcrypt function will be to 
calculate; you might have to run some benchmarks based on your hardware and 
workload, but common values are around 10-12. This way automatically includes 
some random salt, which ensures that the same password never looks the same 
when hashed (this ensures that knowing one password does not automatically mean 
that you know all other accounts that are the same, see the Adobe password 
leak).

scrypt and pbkdf2 are other common alternative that many people use. But never 
ever store cleartext passwords or simple hashes of cleartext password 
(especially unsalted). And never underestimate the attractiveness of someone 
breaching your database (even if it is an "unimportant" service, many users 
will use the same password for email and more important stuff) or the fallout 
from you being the service that leaked passwords.

Greetings
Dennis

--





-
Dennis Bliefernicht • Backend Development
T +49 40 357 3001 62
dennis.blieferni...@xyrality.com

XYRALITY GmbH • Friedensallee 290 • 22763 Hamburg
www.xyrality.com 
Registergericht: Hamburg HRB 115332
Geschäftsführer: Sven Ossenbrüggen
-

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com