I am planning on using the lift's mapper's megaprotouser and I am wondering if I need to hash the passwords before they are inserted into the database, or does it already take care of that?
The MegaProtoUser will not obscure the password by itself, but it uses MappedPassword, which provides that functionality. Check https://github.com/lift/framework/blob/master/persistence/mapper/src/main/scala/net/liftweb/mapper/MappedPassword.scala to see how this is achieved.
Related
Yesterday I created a store procedure with encryption for an exercise purposes but I forgot to save the query.
Today I was planning to view the tsql code by using
exec sp_helptext 'procedure_name'
But since it is encrypted I can't see the code. I was wondering if there is a way to solve this?
Providing the article in the comment as an answer so that more folks may benefit
This article goes into a lot of details on how to decrypt such objects..
It talks about a basic approach using code to decrypt the code from the system tables as well as using 3rd party tools such as DAC and Optillect (which it seems does not need admin privileges)
NOTE: I am assuming you are using sql-server since you have tagged as tsql
Passwords are hashed with a salt and are thus "secure" (relatively speaking) by default using has_secure_password in Rails 4. But what I want to do is encrypt the email at rest in the DB so if the database is compromised somehow the emails aren't just in plaintext.
I've looked at just writing my own encrypt/decrypt functions, but that's dangerous. I've looked at attr_encrypted (and have used it before) but it's not really compatible with the new Model.find_by(key: value) syntax that Rails 4+ pushes, and I don't want to create a hacked fix.
Is there anything out there already that will allow me to easily encrypt an attribute in the DB at rest and then decrypt it when I need to find it? I can't use hashes because I need the decrypted value to display and send emails to later.
I've googled for a while but can't seem to find anything like this. Surely encrypt/decrypt is something very basic that's been put into a convenient gem that's been reviewed by the community?
Have you considered the attr_encrypted gem?
If I have a password variable that is used for remote SSL authentication, is it secure to store in the source code?
e.g.
NSString * password = #"password";
Are there better way?
Update: Sorry for confusion, I am not storing the user password, instead, I am storing a password that is used to call our own backend, all the app will use the same password.
My new answer:
Try not to use static passwords to access the back-end, period. What happens if somebody you don't want determines what that password is. Why not use usernames & passwords?
You can also consider using a public key or embedded certificate to allow only your app access to the back end servers.
My original answer:
Sounds like you want to get to know the Keychain.
Here's a tutorial that talks about it:
http://maniacdev.com/2011/07/tutorial-how-to-use-the-ios-keychain-to-store-names-and-passwords/
And here is a related question that talks about the security of Keychain under iOS.
You shouldn't have programs a store static password for all users, but instead have each user set up his/her account & password for authentication and then store that stuff in the keychain.
Any text contained within your application is easily extractable. There's no real way around this - using the strings tool, anyone can see any and all text content statically embedded into your app. However, there are some ways around this - notably, if you split up your string into several static strings and concatenate in the right order, it will be much more difficult to reverse engineer the password contained in your app.
I recommend you take a look at a similar question (How Safe is Information Contained within iPhone App Compiled Code), and specifically, my answer to that question, for a more in-depth explanation of what I mean. (Nimrod's comment on that question is also interesting.)
NO!
build your app. Go to the terminal and type strings and then drag your executable to terminal and press return... You'll see your secret password in plain text :)
You should store its hash.
I have always wondered when you do web forms on your website whether it is sign up forms or search field, you give away your field name so is that a security risk or no? What's the best way to prevent that?
E.g: <input name="person_name">
It is not a security risk, it is just a name that becomes the key part in the params.
Please don't try to prevent SQL injection attacks by escaping characters. Use the PDO API to create parameterized queries. See the PDO manual on Prepared Statements
Not using the same database column names and HTML form field names is security by obscurity at best.
I'm currently building a couple of ASP.NET MVC 2 sites, and am wondering what my options are for salting a password. With my PHP work, I usually just obtained the timestamp of when a user registered, then appended it to the end of their password string before using SHA1 to hash the entire thing. My instinct is that this approach may not be sufficient.
I'm pretty new to user administration with ASP.NET anyway, so I figure it would be in my best interest to get started with best practices from the beginning. I know that ASP.NET web forms have built-in user administration available, but am unsure about MVC.
The only point of a SALT is to prevent rainbow attacks, where multiple users have the same hash for their password, so reversing one password successfully means you also know it's the password for everybody else with the same hash. Even a single-digit salt will prevent that, since two users with the same password will have different hashes if they have different salts.
As long as the salt is something that won't change, and that is different for every user, any value will work well. Timestamp of their registration, provided you don't update that field (which would invalidate their password hash and prevent their login) is a fine choice.