Hi,
> On 04 Nov 2015, at 10:40, Markus Ruggiero <mailingli...@kataputt.com> wrote:
>
> another quick question: what are you using for secure storage of passowords
> and credit card data in a Wonder app? Is there anything in Wonder (probably
> there is, but it is not always easy to find things), or are you using other
> things/libs/code? Any code examples?
For passwords: don't store them :-) We employ bcrypt to hash passwords and
verify them later-on (which has actually an implementation in Wonder present
somewhere in er.extensions but there are some common Java implementations as
well) and never store any cleartext passwords; today password storage should
never use anything but schemes that are specially crafted or recommended for
password hashing (please don't go and just sha256-hash passwords). Be aware
though that these are computationally more intense than "normal" hash functions
(which is actually the whole point to avoid brute-forcing or precomputation).
This basically comes down to:
final String cryptedPassword = BCrypt.hashpw(password,
BCrypt.gensalt(BCRYPT_DIFFICULTY));
and
return BCrypt.checkpw(enteredPassword, cryptedPassword);
where cryptedPassword is everything you ever store. BCRYPT_DIFFICULTY is the
difficulty factor which determines how hard the bcrypt function will be to
calculate; you might have to run some benchmarks based on your hardware and
workload, but common values are around 10-12. This way automatically includes
some random salt, which ensures that the same password never looks the same
when hashed (this ensures that knowing one password does not automatically mean
that you know all other accounts that are the same, see the Adobe password
leak).
scrypt and pbkdf2 are other common alternative that many people use. But never
ever store cleartext passwords or simple hashes of cleartext password
(especially unsalted). And never underestimate the attractiveness of someone
breaching your database (even if it is an "unimportant" service, many users
will use the same password for email and more important stuff) or the fallout
from you being the service that leaked passwords.
Greetings
Dennis
--
-----------------------------------------------------
Dennis Bliefernicht • Backend Development
T +49 40 357 3001 62
dennis.blieferni...@xyrality.com
XYRALITY GmbH • Friedensallee 290 • 22763 Hamburg
www.xyrality.com <http://www.xyrality.com/>
Registergericht: Hamburg HRB 115332
Geschäftsführer: Sven Ossenbrüggen
-----------------------------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
