Hi!
If it help I’m using NaCl to do secure the passwords. You should not store the
passwords of your users, not even encrypted.
For securing the passwords I use Sha-512 over the salted password.
————————————
User>>initialize
super initialize.
salt := (Nacl randomBytes: 16)
User>>setPassword: aPassword
hashedPassword := Nacl hash: (salt , aPassword asByteArray)
User>>validatePassword: aPassword
^ hashedPassword asByteArray = (Nacl hash: salt asByteArray , aPassword
asByteArray)
————————————
Notice that:
1) I have a different salt for each password, if a bad guy want the
passwords he is going to need a different rainbow table for each user.
2) I do not store the password. I do not even store the hash of the
plain password.
3) Still I’m able to validate the password.
* Note that I’m using Nacl>>randomBytes: to generate a
cryptographically safe random value. Here is not really necessary, BUT you
should use it if you are creating Session-IDs or Tokens.
Encrypting the database is *tricky*. You not only have to encrypt the database,
but also secure the key. First you need to know how much security you want:
1) Be secure if someone hack into the user running pharo.
3) Be secure if someone steal the server.
4) Be secure if someone has physical access to the running server. (All
your keys are in RAM)
2) Be secure if someone hack root. (I doubt anything is going to save
you here)
For most projects/business (unless working with really sensitive data, such as
medical data) securing the OS (users and root) and encrypting the hard-disk
should be enough. Also do not forget to encrypt the connections. If everything
is on the same server just use https. But you may need more if you use Load
Balancers, multiple servers and databases.
Cheers,
Alejandro
> On Feb 21, 2017, at 9:11 AM, Mariano Martinez Peck <marianop...@gmail.com>
> wrote:
>
> As for single username/pass encryption (not the whole DB), and assuming you
> want two-way encrypt (that you want to decrypt), I have used both, Rijndael
> and Blowfish, both in combination with SpsSplitPasswordStore.
>
> Cheers,
>
> On Tue, Feb 21, 2017 at 8:20 AM, Pierce Ng <pie...@samadhiweb.com
> <mailto:pie...@samadhiweb.com>> wrote:
> On Mon, Feb 20, 2017 at 05:34:41AM -0800, sergio ruiz wrote:
> > I have been tasked with throwing together a small web app that will hold
> > the passwords to different projects for my company.
>
> Here is a collection for reference. If one of these is suitable you can skip
> the
> implementation and just deploy.
>
> http://opensourcepasswordmanager.com/
> <http://opensourcepasswordmanager.com/>
>
> > - encrypt the entire database, so that if the machine was compromised
> > physically, the data would be useless.
>
> The NativeBoost version of my SQLite library supports SQLcipher which adds
> transparent full database encryption to SQLite. It is not in the UFFI version
> yet though.
>
> http://sqlcipher.net <http://sqlcipher.net/>
>
> > - encrypt the username and password fields to facilitate the above, also.
>
> If you are already familiar with using crypto API like OpenSSL or NaCl then
> Pharo's FFI is easy to get this done too.
>
> Pierce
>
>
>
>
>
> --
> Mariano
> http://marianopeck.wordpress.com <http://marianopeck.wordpress.com/>
