How to store encrypted passwords in database-backend

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to store encrypted passwords in database-backend

Norbert Pfaff-2
Hi,

one of our customers has had a security check, which included also our web-app.

They write our passwords are not encrypted in the database, so that if aggressor has access to the preferences of a user, he can see the password in the html-code.

They say we should save the password as a one-way hash.  (Argon2)


What would you do?

Norbert Pfaff
Hammelstalstr. 52
67098 Bad Dürkheim

Fon: 06322 9108028
Skype:    npfaff
eMail: [hidden email]



_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: How to store encrypted passwords in database-backend

Bart Alcorn-4
Here is an article that does a rather good job of describing the basics of salting and hashing passwords. Obviously not 4D centric, but the process itself is well explained.

https://crackstation.net/hashing-security.htm <https://crackstation.net/hashing-security.htm>

Hope this helps!

~ Bart Alcorn

> On Feb 7, 2018, at 6:15 AM, Norbert Pfaff <[hidden email]> wrote:
>
> Hi,
>
> one of our customers has had a security check, which included also our web-app.
>
> They write our passwords are not encrypted in the database, so that if aggressor has access to the preferences of a user, he can see the password in the html-code.
>
> They say we should save the password as a one-way hash.  (Argon2)
>
>
> What would you do?
>
> Norbert Pfaff
> Hammelstalstr. 52
> 67098 Bad Dürkheim
>
> Fon: 06322 9108028
> Skype:    npfaff
> eMail: [hidden email]
>
>
>
> _______________________________________________
> Active4D-dev mailing list
> [hidden email]
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/