Search Results

Search found 38 results on 2 pages for 'bcrypt'.

Page 1/2 | 1 2  | Next Page >

  • making a password-only auth with bcrypt and mongoose

    - by user3081123
    I want to create service that let you login only with password. You type a password and if this password exists - you are logged in and if it's not - username is generated and password is encrypted. I'm having some misunderstandings and hope someone would help me to show where I'm mistaken. I guess, it would look somewhat like this in agularjs First we receive a password in login controller. $scope.signup = function() { var user = { password: $scope.password, }; $http.post('/auth/signup', user); }; Send it via http.post and get in in our node server file. We are provided with a compare password bcrypt function userSchema.methods.comparePassword = function(candidatePassword, cb) { bcrypt.compare(candidatePassword, this.password, function(err, isMatch) { if (err) return cb(err); cb(null, isMatch); }); }; So right now we are creating function to catch our http request app.post('/auth/signup', function(req, res, next) { Inside we use a compair password function to realize if such password exists or not yet. So we have to encrypt a password with bcrypt to make a comparison First we hash it same way as in .pre var encPass; bcrypt.genSalt(10, function(err, salt) { if (err) return next(err); bcrypt.hash(req.body.password, salt, function(err, hash) { if (err) return next(err); encPass=hash; )}; )}; We have encrypted password stored in encPass so now we follow to finding a user in database with this password User.findOne({ password: encPass }, function(err, user) { if (user) { //user exists, it means we should pass an ID of this user to a controller to display it in a view. I don't know how. res.send({user.name}) //like this? How should controller receive this? With $http.post? } else { and now if user doesn't exist - we should create it with user ID generated by my function var nUser = new User({ name: generId(), password: req.body.password }); nUser.save(function(err) { if (err) return next(err); )}; )}; )}; Am I doing anything right? I'm pretty new to js and angular. If so - how do I throw a username back at controller? If someone is interested - this service exists for 100+ symbol passphrases so possibility of entering same passphrase as someone else is miserable. And yeah, If someone logged in under 123 password - the other guy will log in as same user if he entered 123 password, but hey, you are warned to make a big passphrase. So I'm confident about the idea and I only need a help with understanding and realization.

    Read the article

  • authentication of webapps when passwords are hashed with bcrypt

    - by dubreakkk
    I created a GWT project which requires authentication. Initially, the users' passwords were in plain text, but now I would like to hash them with BCrypt. I searched but I cannot find a place describing how to make Jetty authenticate against a BCrypt hashed password. I'm sending the password to the server using a FORM in plain text and over SSL. What do I need to do to make Jetty hash this password and compare it to the one in the database? Thank you;

    Read the article

  • BCrypt says long, similar passwords are equivalent - problem with me, the gem, or the field of crypt

    - by PreciousBodilyFluids
    I've been experimenting with BCrypt, and found the following. If it matters, I'm running ruby 1.9.2dev (2010-04-30 trunk 27557) [i686-linux] require 'bcrypt' # bcrypt-ruby gem, version 2.1.2 @long_string_1 = 'f287ed6548e91475d06688b481ae8612fa060b2d402fdde8f79b7d0181d6a27d8feede46b833ecd9633b10824259ebac13b077efb7c24563fce0000670834215' @long_string_2 = 'f6ebeea9b99bcae4340670360674482773a12fd5ef5e94c7db0a42800813d2587063b70660294736fded10217d80ce7d3b27c568a1237e2ca1fecbf40be5eab8' def salted(string) @long_string_1 + string + @long_string_2 end encrypted_password = BCrypt::Password.create(salted('password'), :cost => 10) puts encrypted_password #=> $2a$10$kNMF/ku6VEAfLFEZKJ.ZC.zcMYUzvOQ6Dzi6ZX1UIVPUh5zr53yEu password = BCrypt::Password.new(encrypted_password) puts password.is_password?(salted('password')) #=> true puts password.is_password?(salted('passward')) #=> true puts password.is_password?(salted('75747373')) #=> true puts password.is_password?(salted('passwor')) #=> false At first I thought that once the passwords got to a certain length, the dissimilarities would just be lost in all the hashing, and only if they were very dissimilar (i.e. a different length) would they be recognized as different. That didn't seem very plausible to me, from what I know of hash functions, but I didn't see a better explanation. Then, I tried shortening each of the long_strings to see where BCrypt would start being able to tell them apart, and I found that if I shortened each of the long strings to 100 characters or so, the final attempt ('passwor') would start returning true as well. So now I don't know what to think. What's the explanation for this?

    Read the article

  • SHA512 vs. Blowfish and Bcrypt

    - by Chris
    I'm looking at hashing algorithms, but couldn't find an answer. Bcrypt uses Blowfish Blowfish is better than MD5 Q: but is Blowfish better than SHA512? Thanks.. Update: I want to clarify that I understand the difference between hashing and encryption. What prompted me to ask the question this way is this article, where the author refers to bcrypt as "adaptive hashing" http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html Since bcrypt is based on Blowfish, I was led to think that Blowfish is a hashing algorithm. If it's encryption as answers have pointed out, then seems to me like it shouldn't have a place in this article. What's worse is that he's concluding that bcrypt is the best. What's also confusing me now is that the phpass class (used for password hashing I believe) uses bcrypt (i.e. blowfish, i.e. encryption). Based on this new info you guys are telling me (blowfish is encryption), this class sounds wrong. Am I missing something?

    Read the article

  • Ruby (Rack) application could not be started - Passenger (3.0.9) error for rails 3.1.0 app on ubuntu and nginx (1.0.6) after deploying

    - by user938363
    Here is the error saying bcrypt was not loaded. The rails app is not using the Devise for authentication and gem bcrypt is not in Gemfile. Sometime, the webserver throws out the error saying spawn server can not start. gem list shows that both bcrypt-ruby 3.0.1 and 3.0.0 were installed. Ruby (Rack) application could not be started A source file that the application requires, is missing. * It is possible that you didn't upload your application files correctly. Please check whether all your application files are uploaded. * A required library may not installed. Please install all libraries that this application requires. Further information about the error may have been written to the application's log file. Please check it in order to analyse the problem. Error message: no such file to load -- bcrypt Exception class: LoadError Application root: /vol/www/emclab/current Backtrace: # File Line Location 0 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activesupport-3.1.0/lib/active_support/dependencies.rb 240 in `require' 1 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activesupport-3.1.0/lib/active_support/dependencies.rb 240 in `block in require' 2 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activesupport-3.1.0/lib/active_support/dependencies.rb 225 in `load_dependency' 3 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activesupport-3.1.0/lib/active_support/dependencies.rb 240 in `require' 4 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activemodel-3.1.0/lib/active_model/secure_password.rb 1 in `' 5 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activerecord-3.1.0/lib/active_record/base.rb 2160 in `block in ' 6 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activerecord-3.1.0/lib/active_record/base.rb 2140 in `class_eval' 7 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activerecord-3.1.0/lib/active_record/base.rb 2140 in `' 8 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activerecord-3.1.0/lib/active_record/base.rb 31 in `' 9 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activerecord-3.1.0/lib/active_record/session_store.rb 77 in `' 10 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activerecord-3.1.0/lib/active_record/session_store.rb 51 in `' 11 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/activerecord-3.1.0/lib/active_record/session_store.rb 1 in `' 12 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/application/configuration.rb 123 in `session_store' 13 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/application.rb 168 in `block in default_middleware_stack' 14 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/application.rb 142 in `tap' 15 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/application.rb 142 in `default_middleware_stack' 16 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/engine.rb 445 in `app' 17 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/application/finisher.rb 37 in `block in ' 18 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/initializable.rb 25 in `instance_exec' 19 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/initializable.rb 25 in `run' 20 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/initializable.rb 50 in `block in run_initializers' 21 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/initializable.rb 49 in `each' 22 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/initializable.rb 49 in `run_initializers' 23 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/application.rb 92 in `initialize!' 24 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/railties-3.1.0/lib/rails/railtie/configurable.rb 30 in `method_missing' 25 /vol/www/emclab/releases/20111115184804/config/environment.rb 5 in `' 26 config.ru 3 in `require' 27 config.ru 3 in `block in ' 28 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/rack-1.3.2/lib/rack/builder.rb 51 in `instance_eval' 29 /vol/www/emclab/shared/bundle/ruby/1.9.1/gems/rack-1.3.2/lib/rack/builder.rb 51 in `initialize' 30 config.ru 1 in `new' 31 config.ru 1 in `' 32 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/rack/application_spawner.rb 222 in `eval' 33 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/rack/application_spawner.rb 222 in `load_rack_app' 34 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/rack/application_spawner.rb 156 in `block in initialize_server' 35 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/utils.rb 572 in `report_app_init_status' 36 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/rack/application_spawner.rb 153 in `initialize_server' 37 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/abstract_server.rb 204 in `start_synchronously' 38 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/abstract_server.rb 180 in `start' 39 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/rack/application_spawner.rb 128 in `start' 40 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/spawn_manager.rb 253 in `block (2 levels) in spawn_rack_application' 41 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/abstract_server_collection.rb 132 in `lookup_or_add' 42 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/spawn_manager.rb 246 in `block in spawn_rack_application' 43 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/abstract_server_collection.rb 82 in `block in synchronize' 44 prelude> 10:in `synchronize' 45 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/abstract_server_collection.rb 79 in `synchronize' 46 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/spawn_manager.rb 244 in `spawn_rack_application' 47 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/spawn_manager.rb 137 in `spawn_application' 48 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/spawn_manager.rb 275 in `handle_spawn_application' 49 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/abstract_server.rb 357 in `server_main_loop' 50 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/lib/phusion_passenger/abstract_server.rb 206 in `start_synchronously' 51 /home/dtt/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9/helper-scripts/passenger-spawn-server 99 in `' cap deploy:check returns: You appear to have all necessary dependencies installed Any thoughts about the problem? thanks!

    Read the article

  • PHP introduit une nouvelle API de gestion des mots de passe, fondée sur l'algorithme de hashage sécurisé Bcrypt

    La RFC "password_hash" vient d'être acceptée et sera ajoutée à PHP 5.5 Pourquoi cette nouvelle API ? Généralement lorsque l'on parle de hash de mot de passe les utilisateurs se tournent vers md5 ou sha, deux algorithmes qui ne devrait plus être utilisés (nombreuses rainbow tables, failles dans l'algorithme ...) Une solution efficace pour hasher ses mots de passe est l'utilisation de bcrypt mais malheureusement peu de développeur l'utilisent notamment à cause de la fonction crypt() de php qui n'est pas des plus facile...

    Read the article

  • Question about the no-endorsment clause on the BSD license

    - by Earlz
    I'm developing a non-free library and I want to use Bcrypt.Net in it. The clause in question: Neither the name of BCrypt.Net nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. To what extent does this mean I can't use the name of Bcrypt.Net? For instance, could I say "the only ASP.Net authentication library capable of using Bcrypt" or can I even include "supports Bcrypt for password hashing" in promotional materials? Note: I do not actually modify any of Bcrypt.Net's code

    Read the article

  • openssl/rand.h header file not found

    - by Arun Reddy Kandoor
    I have installed libssl-dev package but that did not install the include files. How do I get the openssl include files? Appreciate your help. Checking for program g++ or c++ : /usr/bin/g++ Checking for program cpp : /usr/bin/cpp Checking for program ar : /usr/bin/ar Checking for program ranlib : /usr/bin/ranlib Checking for g++ : ok Checking for node path : ok /usr/bin/node Checking for node prefix : ok /usr Checking for header openssl/rand.h : not found /home/arun/Documents/webserver/node_modules/bcrypt/wscript:30: error: the configuration failed (see '/home/arun/Documents/webserver/node_modules/bcrypt/build/config.log') npm ERR! error installing [email protected] npm ERR! [email protected] preinstall: `node-waf clean || (exit 0); node-waf configure build` npm ERR! `sh "-c" "node-waf clean || (exit 0); node-waf configure build"` failed with 1 npm ERR! npm ERR! Failed at the [email protected] preinstall script. npm ERR! This is most likely a problem with the bcrypt package, npm ERR! not with npm itself. npm ERR! Tell the author that this fails on your system: npm ERR! node-waf clean || (exit 0); node-waf configure build npm ERR! You can get their info via: npm ERR! npm owner ls bcrypt npm ERR! There is likely additional logging output above. npm ERR! npm ERR! System Linux 3.8.0-32-generic npm ERR! command "node" "/usr/bin/npm" "install" npm ERR! cwd /home/arun/Documents/webserver npm ERR! node -v v0.6.12 npm ERR! npm -v 1.1.4 npm ERR! code ELIFECYCLE npm ERR! message [email protected] preinstall: `node-waf clean || (exit 0); node-waf configure build` npm ERR! message `sh "-c" "node-waf clean || (exit 0); node-waf configure build"` failed with 1 npm ERR! errno {} npm ERR! npm ERR! Additional logging details can be found in: npm ERR! /home/arun/Documents/webserver/npm-debug.log npm not ok

    Read the article

  • Spring security or BCrypt algorithm which one is good for accounts like project?

    - by Ranjith Kumar Nethaji
    I am using spring security for hashing my password.And is it safe ,because am using spring security for first time. my code here <security:http auto-config="true"> <security:intercept-url pattern="/welcome*" access="ROLE_USER" /> <security:form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/loginfailed" /> <security:logout logout-success-url="/logout" /> </security:http> authentication-failure-url="/loginfailed" /> <security:logout logout-success-url="/logout" /> </security:http> <authentication-manager> <authentication-provider> <password-encoder hash="sha" /> <user-service> <user name="k" password="7c4a8d09ca3762af61e59520943dc26494f8941b" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager> .And I havnt used bcrypt algorithm.what is your feedback for both?any recommendation?

    Read the article

  • Using a password to generate two distinct hashes without reducing password security

    - by Nevins
    Hi there, I'm in the process of designing a web application that will require the storage of GPG keys in an encrypted format in a database. I'm planning on storing the user's password in a bCrypt hash in the database. What I would like to be able to do is to use that bCrypt to authenticate the user then use the combination of the stored bCrypt hash and another hash of the password to encrypt and decrypt the GPG keys. My question is whether I can do this without reducing the security of the password? I was thinking I may be able to use something like an HMAC-SHA256 of a static string using the password and a salt as the secret key. Is there a better way to do this that I haven't thought of? Thanks

    Read the article

  • How to change password hashing algorithm when using spring security?

    - by harry
    I'm working on a legacy Spring MVC based web Application which is using a - by current standards - inappropriate hashing algorithm. Now I want to gradually migrate all hashes to bcrypt. My high level strategy is: New hashes are generated with bcrypt by default When a user successfully logs in and has still a legacy hash, the app replaces the old hash with a new bcrypt hash. What is the most idiomatic way of implementing this strategy with Spring Security? Should I use a custom Filter or my on AccessDecisionManager or …?

    Read the article

  • PHP security regarding login

    - by piers
    I have read a lot about PHP login security recently, but many questions on Stack Overflow regarding security are outdated. I understand bcrypt is one of the best ways of hashing passwords today. However, for my site, I believe sha512 will do very well, at least to begin with. (I mean bcrypt is for bigger sites, sites that require high security, right?) I´m also wonder about salting. Is it necessary for every password to have its own unique salt? Should I have one field for the salt and one for the password in my database table? What would be a decent salt today? Should I join the username together with the password and add a random word/letter/special character combination to it? Thanks for your help!

    Read the article

  • How to do MVC the right way

    - by Ieyasu Sawada
    I've been doing MVC for a few months now using the CodeIgniter framework in PHP but I still don't know if I'm really doing things right. What I currently do is: Model - this is where I put database queries (select, insert, update, delete). Here's a sample from one of the models that I have: function register_user($user_login, $user_profile, $department, $role) { $department_id = $this->get_department_id($department); $role_id = $this->get_role_id($role); array_push($user_login, $department_id, $role_id); $this->db->query("INSERT INTO tbl_users SET username=?, hashed_password=?, salt=?, department_id=?, role_id=?", $user_login); $user_id = $this->db->insert_id(); array_push($user_profile, $user_id); $this->db->query(" INSERT INTO tbl_userprofile SET firstname=?, midname=?, lastname=?, user_id=? ", $user_profile); } Controller - talks to the model, calls up the methods in the model which queries the database, supplies the data which the views will display(success alerts, error alerts, data from database), inherits a parent controller which checks if user is logged in. Here's a sample: function create_user(){ $this->load->helper('encryption/Bcrypt'); $bcrypt = new Bcrypt(15); $user_data = array( 'username' => 'Username', 'firstname' => 'Firstname', 'middlename' => 'Middlename', 'lastname' => 'Lastname', 'password' => 'Password', 'department' => 'Department', 'role' => 'Role' ); foreach ($user_data as $key => $value) { $this->form_validation->set_rules($key, $value, 'required|trim'); } if ($this->form_validation->run() == FALSE) { $departments = $this->user_model->list_departments(); $it_roles = $this->user_model->list_roles(1); $tc_roles = $this->user_model->list_roles(2); $assessor_roles = $this->user_model->list_roles(3); $data['data'] = array('departments' => $departments, 'it_roles' => $it_roles, 'tc_roles' => $tc_roles, 'assessor_roles' => $assessor_roles); $data['content'] = 'admin/create_user'; parent::error_alert(); $this->load->view($this->_at, $data); } else { $username = $this->input->post('username'); $salt = $bcrypt->getSalt(); $hashed_password = $bcrypt->hash($this->input->post('password'), $salt); $fname = $this->input->post('firstname'); $mname = $this->input->post('middlename'); $lname = $this->input->post('lastname'); $department = $this->input->post('department'); $role = $this->input->post('role'); $user_login = array($username, $hashed_password, $salt); $user_profile = array($fname, $mname, $lname); $this->user_model->register_user($user_login, $user_profile, $department, $role); $data['content'] = 'admin/view_user'; parent::success_alert(4, 'User Sucessfully Registered!', 'You may now login using your account'); $data['data'] = array('username' => $username, 'fname' => $fname, 'mname' => $mname, 'lname' => $lname, 'department' => $department, 'role' => $role); $this->load->view($this->_at, $data); } } Views - this is where I put html, css, and JavaScript code (form validation code for the current form, looping through the data supplied by controller, a few if statements to hide and show things depending on the data supplied by the controller). <!--User registration form--> <form class="well min-form" method="post"> <div class="form-heading"> <h3>User Registration</h3> </div> <label for="username">Username</label> <input type="text" id="username" name="username" class="span3" autofocus> <label for="password">Password</label> <input type="password" id="password" name="password" class="span3"> <label for="firstname">First name</label> <input type="text" id="firstname" name="firstname" class="span3"> <label for="middlename">Middle name</label> <input type="text" id="middlename" name="middlename" class="span3"> <label for="lastname">Last name</label> <input type="text" id="lastname" name="lastname" class="span3"> <label for="department">Department</label> <input type="text" id="department" name="department" class="span3" list="list_departments"> <datalist id="list_departments"> <?php foreach ($data['departments'] as $row) { ?> <option data-id="<?php echo $row['department_id']; ?>" value="<?php echo $row['department']; ?>"><?php echo $row['department']; ?></option> <?php } ?> </datalist> <label for="role">Role</label> <input type="text" id="role" name="role" class="span3" list=""> <datalist id="list_it"> <?php foreach ($data['it_roles'] as $row) { ?> <option data-id="<?php echo $row['role_id']; ?>" value="<?php echo $row['role']; ?>"><?php echo $row['role']; ?></option> <?php } ?> </datalist> <datalist id="list_collection"> <?php foreach ($data['tc_roles'] as $row) { ?> <option data-id="<?php echo $row['role_id']; ?>" value="<?php echo $row['role']; ?>"><?php echo $row['role']; ?></option> <?php } ?> </datalist> <datalist id="list_assessor"> <?php foreach ($data['assessor_roles'] as $row) { ?> <option data-id="<?php echo $row['role_id']; ?>" value="<?php echo $row['role']; ?>"><?php echo $row['role']; ?></option> <?php } ?> </datalist> <p> <button type="submit" class="btn btn-success">Create User</button> </p> </form> <script> var departments = []; var roles = []; $('#list_departments option').each(function(i){ departments[i] = $(this).val(); }); $('#list_it option').each(function(i){ roles[roles.length + 1] = $(this).val(); }); $('#list_collection option').each(function(i){ roles[roles.length + 1] = $(this).val(); }); $('#list_assessor option').each(function(i){ roles[roles.length + 1] = $(this).val(); }); $('#department').blur(function(){ var department = $.trim($(this).val()); $('#role').attr('list', 'list_' + department); }); var password = new LiveValidation('password'); password.add(Validate.Presence); password.add(Validate.Length, {minimum: 10}); $('input[type=text]').each(function(i){ var field_id = $(this).attr('id'); var field = new LiveValidation(field_id); field.add(Validate.Presence); if(field_id == 'department'){ field.add(Validate.Inclusion, {within : departments}); } else if(field_id == 'role'){ field.add(Validate.Inclusion, {within : roles}) } }); </script> The codes above are actually code from the application that I'm currently working on. I'm working on it alone so I don't really have someone to review my code for me and point out the wrong things in it so I'm posting it here in hopes that someone could point out the wrong things that I've done in here. I'm also looking for some guidelines in writing MVC code like what are the things that should be and shouldn't be included in views, models and controllers. How else can I improve the current code that I have right now. I've written some really terrible code before(duplication of logic, etc.) that's why I want to improve my code so that I can easily maintain it in the future. Thanks!

    Read the article

  • Proper password handling for login

    - by piers
    I have read a lot about PHP login security recently, but many questions on Stack Overflow regarding security are outdated. I understand bcrypt is one of the best ways of hashing passwords today. However, for my site, I believe sha512 will do very well, at least to begin with. (I mean bcrypt is for bigger sites, sites that require high security, right?) I´m also wonder about salting. Is it necessary for every password to have its own unique salt? Should I have one field for the salt and one for the password in my database table? What would be a decent salt today? Should I join the username together with the password and add a random word/letter/special character combination to it? Thanks for your help!

    Read the article

  • Why do password strength requirements exist? [migrated]

    - by Bozho
    Password strength is now everything, and they force you to come up with passwords with digits, special characters, upper-case letters and whatnot. Apart from being a usability nightmare (even I as a developer hate it when a website requires a complex password), what are the actual benefits of having strong passwords (for website authentication)? Here are the prerequisites of a system that handles authentication properly: store passwords using bcrypt (or at least use salt+hash) - hard-to-impossible to find the original password when an attacker gets the database lock subsequent password attempts with a growing cooldown - no brute-force via the site

    Read the article

  • AJAX Password Change without Refresh

    - by Richard
    I'm trying to implement password change functionality into my website. I've got all the password changing script, validation, etc done. But now I need to prevent the page from going to the script page or refreshing. When the user clicks the submit button, I want nothing to change except a message displaying successfully changed or error. So here's my html: <form id="change_Pass" action="" method="post"> Current Password<input type="password" id="change_password" name="change_password"><br> New Password<input type="password" id="new_password" name="new_password"><br> Verify Password<input type="password" id="verify_password" name="verify_password"><br> <input type="submit" value="Submit" id="change_pass_submit"> </form> And my jquery: $('#change_pass_submit').click(function(){ var $this = $(this); $.ajax({ data: $this.serialize(), // get the form data type: "POST", // GET or POST url: "/Private/change_password.php", // the file to call success: function() { // on success.. //$('#success_div).html(response); // update the DIV alert("good"); }, error: function() { // on error.. //$('#error_div).html(e); // update the DIV alert("bad"); } }); return false; //so it doesn't refresh when submitting the page }); And my php: <?php session_start(); require_once '../classes/Bcrypt.php'; ini_set('display_errors', 'On'); error_reporting(E_ALL | E_STRICT); $usr = $_SESSION["username"]; $old_pwd = $_POST["change_password"]; $new_pwd = $_POST["new_password"]; $new_pwd = Bcrypt::hash($new_pwd); try { $link = new PDO('mysql:host=*;dbname=*;charset=UTF-8','*','*'); $query = "SELECT * FROM Conference WHERE Username = :un"; $stmt = $link->prepare($query); $stmt->bindParam(':un', $usr); $stmt->execute(); $row = $stmt->fetchAll(); $hash = $row[0]["Password"]; $is_correct = Bcrypt::check($old_pwd, $hash); if($is_correct) { $query = "UPDATE Conference SET `Password`=:new_pwd WHERE Username = :usr"; $stmt = $link->prepare($query); $stmt->bindParam(':new_pwd', $new_pwd); $stmt->bindParam(':usr', $usr); $stmt->execute(); return true; } else return false; } catch(PDOException $e) { print "Error!: " . $e->getMessage() . "<br/>"; die(); } But for some reason, when I hit the submit button, the page STILL goes to change_password.php. I have no idea why, i've looked at so many tutorials and my code matches theirs but for some reason mine won't stay on the same page. Where did I go wrong?

    Read the article

  • MVC App Works in Visual Studio, but not IIS7

    - by kesh
    Working on a an ASP.NET MVC Project, and I'm having some difficulties deploying to a shared dev server. Locally, when debugging using the local Visual Studio 2008 server, everything works peachy. However, once deployed, I receive the following error: Parser Error Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.## Heading ## Parser Error Message: Unable to find an entry point named 'BCryptGetFipsAlgorithmMode' in DLL 'bcrypt.dll'. Source Error: Line 1: <%@ Application Codebehind="Global.asax.cs" Inherits="APPLICATION_NAME.Web.MvcApplication" Language="C#" %> Source File: /APPLICATION_NAME/global.asax Line: 1 Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927 In the error log: Event sequence: 1 Event occurrence: 1 Event detail code: 0 Application information: Application domain: /LM/W3SVC/1/ROOT/APPLICATION_NAME-4-128995312096183595 Trust level: Full Application Virtual Path: /APPLICATION_NAME Application Path: E:\PROJECTS\APPLICATION\APPLICATION_NAME\APPLICATION_NAME\app\APPLICATION_NAME.Web\ Machine name: PC Process information: Process ID: 4608 Process name: w3wp.exe Account name: IIS APPPOOL\DefaultAppPool Exception information: Exception type: HttpException Exception message: Unable to find an entry point named 'BCryptGetFipsAlgorithmMode' in DLL 'bcrypt.dll'. Request information: Request URL: http://localhost/APPLICATION_NAME Request path: /APPLICATION_NAME User host address: ::1 User: Is authenticated: False Authentication Type: Thread account name: IIS APPPOOL\DefaultAppPool Thread information: Thread ID: 6 Thread account name: IIS APPPOOL\DefaultAppPool Is impersonating: False Stack trace: at System.Web.Compilation.BuildManager.ReportTopLevelCompilationException() at System.Web.Compilation.BuildManager.EnsureTopLevelFilesCompiled() at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters) Custom event details: After finding the deployment error, I tried adding an application locally, and that seems to result in the same application. On my local dev machine, I'm using Windows 7 RTM (x64), and on the shared server I'm running Windows Server 2008 Standard (x86). Poked around, and my FIPS encryption in Local Security Policy is disabled, so I'm at a bit of a loss.

    Read the article

  • keepass not working with wine

    - by Decio Lira
    I installed Keepass 1.16 in my thumbdrive, which reportedly works with wine (as per Keepass homepage), but after entering the master password it just hangs and shows the "The program keepass has encountered a serious problem and needs to close" screen. I got this error msg among the stack trace on the terminal: wine: Call from 0x7b844633 to unimplemented function bcrypt.dll.BCryptOpenAlgorithmProvider, aborting On windows, everything runs fine. I'm using wine-1.1.27 on ubuntu 9.04 Any thoughts?

    Read the article

  • node.js: encrypting data that needs to be decrypted?

    - by fancy
    We are using bcrypt for passwords and data that never needs to be decrypted. What should do to protect other user information that does. For this example lets say that we didn't want a users real name to be in plain text in case someone was to obtain the db. This is somewhat sensitive data but also needs to be called from time to time and displayed in plain text. Is there a simple way to do this?

    Read the article

  • Opinions on Dual-Salt authentication for low sensitivity user accounts?

    - by Heleon
    EDIT - Might be useful for someone in the future... Looking around the bcrypt class in php a little more, I think I understand what's going on, and why bcrypt is secure. In essence, I create a random blowfish salt, which contains the number of crypt rounds to perform during the encryption step, which is then hashed using the crypt() function in php. There is no need for me to store the salt I used in the database, because it's not directly needed to decrypt, and the only way to gain a password match to an email address (without knowing the salt values or number of rounds) would be to brute force plain text passwords against the hash stored in the database using the crypt() function to verify, which, if you've got a strong password, would just be more effort than it's worth for the user information i'm storing... I am currently working on a web project requiring user accounts. The application is CodeIgniter on the server side, so I am using Ion Auth as the authentication library. I have written an authentication system before, where I used 2 salts to secure the passwords. One was a server-wide salt which sat as an environment variable in the .htaccess file, and the other was a randomly generated salt which was created at user signup. This was the method I used in that authentication system for hashing the password: $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; //create a random string to be used as the random salt for the password hash $size = strlen($chars); for($i = 0; $i < 22; $i++) { $str .= $chars[rand(0, $size - 1)]; } //create the random salt to be used for the crypt $r_blowfish_salt = "$2a$12$" . $str . "$"; //grab the website salt $salt = getenv('WEBSITE_SALT'); //combine the website salt, and the password $password_to_hash = $pwd . $salt; //crypt the password string using blowfish $password = crypt($password_to_hash, $r_blowfish_salt); I have no idea whether this has holes in it or not, but regardless, I moved over to Ion Auth for a more complete set of functions to use with CI. I noticed that Ion only uses a single salt as part of its hashing mechanism (although does recommend that encryption_key is set in order to secure the database session.) The information that will be stored in my database is things like name, email address, location by country, some notes (which will be recommended that they do not contain sensitive information), and a link to a Facebook, Twitter or Flickr account. Based on this, i'm not convinced it's necessary for me to have an SSL connection on the secure pages of my site. My question is, is there a particular reason why only 1 salt is being used as part as the Ion Auth library? Is it implied that I write my own additional salting in front of the functionality it provides, or am I missing something? Furthermore, is it even worth using 2 salts, or once an attacker has the random salt and the hashed password, are all bets off anyway? (I assume not, but worth checking if i'm worrying about nothing...)

    Read the article

  • What hash should be used to ensure file integrity?

    - by Corey Ogburn
    It's no secret that large files offered up for download often are coupled with their MD5 or SHA-1 hash so that after you download you can verify the file's integrity. Are these still the best algorithms to use for this? Obviously these are very popular hashes that potential downloaders would have easy access to. Ignoring that factor, what hashes have the best properties for being used for this? For example, bcrypt would be horrible for this. It's designed to be slow. That would suck to use on your 7.4 GB dual layer OS ISO you just downloaded when a 12 letter password might take up to a second with the right parameters.

    Read the article

  • SO-overflow induced passivity - how to cope?

    - by Ruben
    After not really working on my pet project for a while, I discovered Stackoverflow and upon perusing it more intensely I was quite amazed. I'm a bit of a perfectionist, so when I found eye-openers here highlighting many of the mistakes I made, I first wanted to fix everything. However, it's a pet project for a reason: I'm self-taught and I'm studying psychology, so programming skills can never become priority one (though it often helps, even in this field). Issues that stuck out were numerous security issues (e.g. CSRF-prevention and bcrypt eluded me) not object-oriented (at least the PHP part, the JS-part mostly is) no PHP framework used, so many of my DIY takes on commonly-tackled components (auth, ...) are either bad or inefficient really poor MySQL usage (no prepared statements, mysql extension, heard about setting proper indices two days ago) using mootools even though JQuery seems to be fashionable, so there's more probably always going to be better integration with services I'd like to use (like google visualization) So, my SO-induced frenzy turned into passivity. I can't do it all (soon) in the rather small amount of spare time I can spend on working on my project. I can leave some of the issues be in good conscience (speed stuff: an unfinished & unpublished project will never become popular, right?). No clear conscience without good security though and if I don't use a framework for auth and other complex stuff I'll regret having to do it myself. One obvious answer would probably be going open-source, but I think the project would need to become more impressive before others would commit to it. I can't afford to employ someone either. I do think the project deserves being worked on, though. How should I tackle it anyway? What's the best practice for little-practice people?

    Read the article

  • CodePlex Daily Summary for Wednesday, February 17, 2010

    CodePlex Daily Summary for Wednesday, February 17, 2010New ProjectsAcademic Success Accounting System: The system is intended to use by school teacher to set marks to students and estimate their academic success and possibilities. The client applicat...Access.PowerTools: Access PowerTools is currently a sample MS Access add-in project to try & test features of Add-in Express™ 2009 for Microsoft® Office and .net (ht...AntoonCms: AntoonCms makes it easy to maintain a simple website with it's builtin administration pages. It's developed in C# on target Framework 2.0 The CMS...ASP.NET MVC Mehr Lib: Mehr Lib makes it easier for ASP.NET MVC developers to do develop projects. It's developed in C#. This version currently include Ajax master detail...BCryptTool: Developer tool that calculates BCrypt hash codes for strings. BCrypt is an implementation of the Blowfish cipher and a computationally-expensive ha...Coronasoft Cryostasis scripting engine: A scripting engine that allows you to dynamically load plugins from just about any supported .NET language. Its written in C#. Languages supported ...Critical Point Search: Critical Point Searchcritical points: critical pointsFont Family Name Retrieval: This library helps developer to retrieve the font family name from the TTF, OTF and TTC font files, so that developer can display the font without ...jQuery Form Input Hints Plugin: Automatically display hints on input textboxes in your forms using this jQuery plugin. I wrote this code to be as simple and as easy to use as pos...Kojax: kojax projectKronRetro: KronRetro! Making a Habbo Retro just got easier! Powered by PHP & MySQL you can make a Habbo Retro site fast!MVVM Wrapper Kit: MVVM Wrapper Kit makes it easier for View Model programmers to wrap their business objects and collections while preserving change notification and...ObjectCartographer: ObjectCartographer is an object to object mapper and object factory. It's developed in C#.PE-file Reader Writer API (PERWAPI): PERWAPI is a reader writer module for .NET program executables. It has been used as back-end for progamming language compilers such as Gardens Poi...Pinger: A simple Pinger, pings an address until you press a buttonQPV: 0.1: QPV aka Que pelicula es una aplicacion que consiste crear una base de datos potente de peliculas, criticas e informacion para poder filtrar pelicul...SIMD Detector: This SIMD class helps developers to detect the types of SIMD instruction available on users' processor. It supports Intel and AMD CPUs. It is writt...StackOverflow Test Project: Following Andrew Siemer's StackOverflow Knowledge Exchange Project.WeBlog: A blogging platform built on the MVC framework The project will showcase current technologies such as MVC 2, Silverlight 4 and jQuery 1.4. Data pro...Webmedia: this is my webmedia projectWindows Azure RSS Reader: This is and online RSS reader based on the Windows Azure platformWordEditor. A Word Editor for Windows, and an extended RichTextBox control.: This is a word editor that can be used as a stand alone word processor, or added to an existing project.Домашняя Бухгалтерия: Программа для ведения домашнего бухгалтерского учета финансов. New ReleasesAccess.PowerTools: Access PowerTools Add-In Community Edition v.0.0.1: Access PowerTools Add-In Community Edition v.0.0.1 is a sample MS Access add-in project to try & test Add-in Express™ 2009 for Microsoft® Office an...Active CSS: ActiveCSS-0.1.1: revision for version 0.1ASP.NET: Microsoft Ajax Minifier 4.0: The Microsoft Ajax Minifier enables you to improve the performance of your Ajax applications by reducing the size of your Cascading Style Sheet and...ASP.NET MVC Mehr Lib: V1.0: Mehr Lib V1.0 This version currently include ajax master detail combo facilities.ASP.net Ribbon: Version 1.2: New controls : Expandable gallery Color Picker Multi color File Menu Some JS modifications. Some CSS modifications. Includes some functionna...ASP.NET Web Forms Model-View-Presenter (MVP) Contrib: WebForms MVP Contrib CTP6: This is a release of the WebForms MVP Contrib project for WebForms MVP CTP6. Release includes: WebForms MVP Contrib framework Ninject IoC containerAwesomiumDotNet: AwesomiumDotNet 1.2.1: - Added Awesomium 1.5 features: URL filtering, header rewrite rules, SetOpensExternalLinksInCallingFrame. - Numerous fixes and improvements.BCryptTool: BCryptTool v0.1: The Microsoft .NET Framework 3.5 (SP1) is needed to run this program.Buzz Dot Net: Buzz Dot Net v.1.10216: Features Parse Google Buzz feed to Objects Partial MVVM Implementation Partial OptimizationsCanvas VSDOC Intellisense: v1.0.0.0a: canvas-vsdoc.js and canvas-utils.js JavaScript intellisense for HTML5 Canvas element.CheckHeader: CheckHeader v0.8.5: The Microsoft .NET Framework 3.5 (SP1) is needed to run this program.Claymore MVP: Claymore 1.0.2.0: Changelog Added ASP.NET WebForm support via ClaymoreHttpModule class. Added xsd schema for Visual Studio Intellisense within App.config and Web....Dam Gd - URL Shortner: Dam.gd Version 1.1: This is the latest instalment in our URL shortner. It uses The Easy API http://theeasyapi.com to access data that is used for the back-end analyti...D-AMPS: D-AMPS 0.9.1: Initial version.easySMS: easySMS 1.0 Source code: easySMS 1.0 Source codeFont Family Name Retrieval: 1st Release: Version 1.0.0Free Silverlight & WPF Chart Control - Visifire: Visifire Now Supports DataBinding: Hi, Today we are releasing the much awaited DataBinding feature in Visifire 3.0.3 beta 3. Now you can Bind any DataSource at the Series level so t...GenerateTypedBamApi: Version 2.0: Changes in this release: NEW: Export functionality no longer requires Excel to be installed (uses OLE DB vs. Excel Automation; also enables usage i...Gmail Notifier 2: GmailNotifier2 1.2.1: Fixes issues #9652, #9653iTuner - The iTunes Companion: iTuner 1.1.3699: This includes the first pass of the iTuner Librarian including management of dead tracks, duplicates, and empty directories... While I promised a ...jQuery Form Input Hints Plugin: jQuery.InputHints v1.0: jQuery.InputHints v1.0 Includes Standard & minified source Demo HTML file VS2008 SolutionLibWowArmory: LibWowArmory 0.2.3 beta: LibWowArmory 0.2.3 betaThis release of the LibWowArmory source code matches the WoW Armory as of version 3.3.2. Changes since version 0.2.2:Update...Managed Extensibility Framework: MEF Preview 9: We have merged the .net 3.5 and Silverlight 3 into a single zip. The bin folder contains the binaries for .net 3.5 whereas bin\SL contains the bina...MDX Parser,Builder,DOM and OLAP visual controls with Writeback for Silverlight: Ranet.UILibrary.Olap-1.3.3.0-6571.msi: February 16, 2010 * MdxDesigner: Fix for the issue where when an element is clicked, the mouse wheel stops working until the cursor leaves and r...MEFGeneric: MEFGeneric Preview 9: MEFGeneric Preview 9 release.Mesopotamia Experiment: Mesopotamia 1.2.26: Bug Fixes - mud map - progress window - recycle app domains on robotics engine crashes( in command prompt and visual, major work) - fixed rooomba h...Microsoft Solution Framework for Business Intelligence in Media: Release 1.0: This is the public release of the Microsoft Solution Framework for Business Intelligence in Media (Release 1.0).MVVM Wrapper Kit: MVVM Wrapper Beta: A simple test project is included to get you up and running, and wrapping those business objects.nBayes - Bayesian Filtering in C#: nBayes v0.2: nBayes' indexing system is factored in such a way that you can easily replace the index with a custom implementation. This release introduces an ad...NetSqlAzMan - .NET SQL Authorization Manager: 3.6.0.5: 3.6.0.5 16-February-2010 - Fix: SqlAzManSid Class. "Equals" matches object signiture instead of IAzManSid signiture. When a real null object is pas...ObjectCartographer: ObjectCartographer Code 1.0: This is the first release and contains code to help with object to object mapping (including mapping from one object to multiple objects), object f...Office Apps: 0.8.6: Bug fix's, added Calendar.OI - Open Internet: OI HTML and .XAP files (OI offline): this is the HTML code and the XAP file. please right-click the app at http://bit.ly/openinternet and select "install openinternet application to th...PE-file Reader Writer API (PERWAPI): PERWAPI-1.1.3: Perwapi version 1.1.3 is the complete distribution package. It contains Binary files, pdb files and xml files for the PERWAPI and SymbolRW compone...Pinger: Pinger 1.0.0.0 Binary: The Latest BinaryRNA Comparative Analysis Software Tools: RNA Comparative Analysis Software Tools 2.0: RNA Comparative Analysis Software Tools Version 2.0 Note: The RNA Comparative Analysis Software Tools are provided as is, without any warranty. No...SAL- Self Artificial Learning: Artificial Learning working proof of concept: This is a working proof of concept. It includes the Dev version (in .zip format) and the consumer version (in .exe format)SharePoint Management PowerShell scripts: SharePoint 2010 PowerShell Scripts: All the SharePoint 2010 PowerShell Scripts The first file is an Excel 2010 file allowing to find quiclky and easily the new cmdlets available wi...SIMD Detector: 1st Release: Version 1.3 Supports MMX/MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, SSE5, 3DNow.Terminals: Terminals 1.9 Beta Release: This is a beta release so the new features being added to terminals can be tested properly. The major change in this release is that Terminals has...Text Designer Outline Text Library: 9th minor release: Added the ability to select brush, such as gradient brush or texture brush for the text body. Added CSharp library, TextDesignerCSLibrary. Manage...VivoSocial: VivoSocial 7.0.2: This release has several updated modules. See the Support Forums for more details. Since we update modules very often, we will be changing how we d...WatchersNET CKEditor™ Provider for DotNetNuke: CKEditor Provider 1.6.00: changes CKEditor Upgrade to Version 3.2 SVN 5132 File Browser: After File Upload, File will be Auto Selected File Browser: Icons are corrected ...WordEditor. A Word Editor for Windows, and an extended RichTextBox control.: WordEditor Source Code: This contains the latest solution file, with all project files included.Домашняя Бухгалтерия: Alapha Realease: Принимаются ваши предложения по дизайну и функциональности программы.Most Popular ProjectsRawrWBFS ManagerAJAX Control ToolkitMicrosoft SQL Server Product Samples: DatabaseSilverlight ToolkitWindows Presentation Foundation (WPF)Image Resizer Powertoy Clone for WindowsMicrosoft SQL Server Community & SamplesASP.NETLiveUpload to FacebookMost Active ProjectsDinnerNow.netRawrBlogEngine.NETSimple SavantNB_Store - Free DotNetNuke Ecommerce Catalog Modulepatterns & practices – Enterprise LibraryPHPExcelSharpyjQuery Library for SharePoint Web ServicesFluent Validation for .NET

    Read the article

1 2  | Next Page >