Login Form; How to hide/encrypt login and password, log and cookies

[walter.dasilva]

HI,

How to hide or encrypt login and password on cookies, log(server side) and get/post?

Regards,
Walter - SOFTVALE

[MyBrainIsFull]

Hi, I have been thinking of this too, need to do it soon, the idea is that you should never have to save the users password.

If you use java script to hash it or encrypt it on the client side, then you can store the hashed or encrypted "thing" that is returned

see this article  http://glynrob.com/javascript/client-side-hashing-and-encryption/

and for an example of how see http://www.vincentcheung.ca/jsencryption/

He even has the .js code to do it

Hope this helps
K

[Bruce]

Hi Walter,

Any login or password stored in a cookie is completely unsecure - since it is easy to attack the browser, or data traffic, to read it. In other words, whatever you store in the cookie can be passed back to you by any attacker, and hence the user can easily be spoofed.

that said, you can encrypt the data you put into the cookie. The values written into the cookie are typically done inside your Loginform procedure, so obviously you can write anything you like into those cookies. One option, as Kevin suggests, is to hash the value of the login, and the value of the password, and store these in the cookie. Then when you test the incoming value check to see if the user has typed a plain-text value, or you are receiving the hash.

The easiest way to hash the data in Clarion is to use Cryptonite. Use a strong hash, like SHA-256 rather than a weak one like SHA1 or MD5.

It's better to do the hashing, and encryption on the server side rather than the client side. (Although if the user actually typed in a value, then you could send the hash to the server instead of the value itself.)

cheers
Bruce

[MyBrainIsFull]

But surely Bruce, sending the password in plain text back to the server is what we are trying to avoid, as anyone can sniff this

If I am installing on a client site, the IT team will look for this first and complain.

Surely the approach should be to "Mash" the password with anything known, even the primay key of the person, to make something of the password that is sent back to the server as "Gobeldey-Gook"   - put this in the database, as no one should ever be able to look at a password.

When the user logs in, scramble their login password the same way - and compare that to the database, if its the same "Gobeldy-Gook" then they are in.

Sure if you want to see it to test, use Cryptonite, that cool, but not send passwords to the server in plain view.

Your thoughts Bruce ?
 

[walter.dasilva]

First, thank you all for your considerations.

So Bruce, i did what you said. actually i'm hashing the password and storing it on my database, i saw i can encrypt it before put in cookie but i don´t know how to decrypt, or better where i can decrypt cookie before it be passed to fields form.

And about Kevin said, i dont want sending password in plain text to server, i want to encrypt it before.
right, i'm using SSL but - i think - before it has been sending to internet and when it has been receiving for server i can see it in plain text.

am i freaking about this question or i must really consider it?

Regards,
Walter - SOFTVALE

[Bruce]

>> I saw i can encrypt it before put in cookie but i don´t know how to decrypt,

what tool are you using for encryption? I guess you'd use the same tool for decryption. Are you using Cryptonite?

>> or better where i can decrypt cookie before it be passed to fields form.

you only need to decrypt the value right before you actually use it. So just add that as a step right before you do the login validation.
Of course the incoming value may be _unencrypted_ if it's not coming from a cookie, but from something they typed in - so you may need to do your validation test twice.

>> am i freaking about this question or i must really consider it?

It's always worth learning how to do things - then you can decide if you want to do them or not.

cheers
Bruce

[walter.dasilva]

I've got it.

Yes, i'm using Cryptonite (i'm CS addicted  )

I think disabling "remember me" is a good ideia for now.

Thanks
Walter - SOFTVALE

[Bruce]

If you care about the security, then the site should be SSL.
If you don't care about the security then all this thread is just extra work for no purpose.

cheers
Bruce