Security and passwords
Locked
Security and passwords
 
|
Hi,
I think we should improve security by storing a hashed passwords instead of passwords directly, same thing for requests. For Squeak port we can use SecureHashAlgorithm, and Security.SHA for VW. I know, it's dialect specific, but I didn't find another way... Cheers! Nicolas _______________________________________________ Aida mailing list [hidden email] http://lists.aidaweb.si/mailman/listinfo/aida |
signature.asc (196 bytes)
Re: Security and passwords
|
|
Re: Security and passwords
|
|
Le jeudi 07 février 2008 à 13:23 +0100, Janko Mivšek a écrit : > Nicolas Petton wrote: > > > I think we should improve security by storing a hashed passwords instead > > of passwords directly, same thing for requests. > > Strongly agree. For storing passwords while for requests it is not so easy. > > > > For Squeak port we can use SecureHashAlgorithm, and Security.SHA for VW. > > I know, it's dialect specific, but I didn't find another way... I was thinking about a method like this in WebSecurityManager class: hashPassword: aString ^SecureHashAlgorithm new hashMessage: aString And in WebUser: isValidPassword: aString ^(WebSecurityManager hashPassword: aString) = self password Same thing for storing passwords. In SecurityManagerApp: userNamed: anUsernameString withPassword: aPasswordString " find and return a WebUser with username and password. Return nil if not found" (anUsernameString ~= '') | (aPasswordString ~= '') ifFalse: [^nil]. ^self users detect: [:user | (user username asLowercase = anUsernameString asLowercase) and: [user password asLowercase = (WebSecurityManager hashPassword: aPasswordString) asLowercase]] ifNone: [nil] In VW, instead of SecureHashAlgorithm new hashMessage: aString we can use: hashPassword: aString ^Security.SHA hashFrom: aString asByteArray readStream I tried it for both Squeak and VW. It works extremely fine, and it's very secure :) > > I would rather use simpler MD5 hash, it is easier to implement and > therefore more portable. And Sport can maybe be extended once with MD5, > because Bruce Badger uses MD5 in his PostgreSQL driver. > > I know I know, MD5 is supposed to be broken already, but common, guys, > be reasonable... > > Best regards > JAnko > > _______________________________________________ Aida mailing list [hidden email] http://lists.aidaweb.si/mailman/listinfo/aida |
Re: Security and passwords
|
|
In reply to this post by Janko Mivšek
Hi again,
Here is the complete change I made for Squeak: WebSecurityManager class>>hashPassword: aString "Returns a hashed string, used to store and compare passwords in a secure way" ^(SecureHashAlgorithm new hashMessage: aString) asString WebSecurityManager>>userNamed: anUsernameString withPassword: aPasswordString " find and return a WebUser with username and password. Return nil if not found" (anUsernameString ~= '') | (aPasswordString ~= '') ifFalse: [^nil]. ^self users detect: [:user | (user username asLowercase = anUsernameString asLowercase) and: [user password = (WebSecurityManager hashPassword: aPasswordString)]] ifNone: [nil] WebUser>>isGuest "all non registered visitors have the same user: a Guest" ^self name = 'Guest' and: [(self username = 'guest') & (self password = (WebSecurityManager hashPassword: 'guest'))] WebUser>>password: aString "Store hashed string" password := WebSecurityManager hashPassword: aString The *only* thing that sould the changed fot VW is: WebSecurityManager class>>hashPassword: aString ^Security.SHA hashFrom: aString asByteArray readStream I tried it on both Squeak and VW. What do you think about it? Cheers, Nicolas -- Nicolas Petton http://nico.bioskop.fr ___ ooooooo OOOOOOOOO |Smalltalk| OOOOOOOOO ooooooo \ / [|] -------------------------------- Ma clé PGP est disponible ici : http://nico.bioskop.fr/pgp-key.html _______________________________________________ Aida mailing list [hidden email] http://lists.aidaweb.si/mailman/listinfo/aida |
Re: Security and passwords
|
|
| Free forum by Nabble | Edit this page |