[aida] Security and passwords

Nicolas Petton petton.nicolas at gmail.com
Thu Feb 7 13:51:45 CET 2008


Le jeudi 07 février 2008 à 13:23 +0100, Janko Mivšek a écrit :
> Nicolas Petton wrote:
> 
> > I think we should improve security by storing a hashed passwords instead
> > of passwords directly, same thing for requests.
> 
> Strongly agree. For storing passwords while for requests it is not so easy.
> > 
> > For Squeak port we can use SecureHashAlgorithm, and Security.SHA for VW.
> > I know, it's dialect specific, but I didn't find another way...

I was thinking about a method like this in WebSecurityManager class:
hashPassword: aString
    ^SecureHashAlgorithm new hashMessage: aString

And in WebUser:
isValidPassword: aString
	^(WebSecurityManager hashPassword: aString) = self password

Same thing for storing passwords.

In SecurityManagerApp:
userNamed: anUsernameString withPassword: aPasswordString
	" find and return a WebUser with username and password. Return nil if
not found"
 	(anUsernameString ~= '') | (aPasswordString ~= '') ifFalse: [^nil].
	^self users detect: [:user | 
		(user username asLowercase = anUsernameString asLowercase) and: 
			[user password asLowercase = (WebSecurityManager hashPassword:
aPasswordString) asLowercase]] ifNone: [nil]


In VW, instead of SecureHashAlgorithm new hashMessage: aString we can
use: 
hashPassword: aString
	^Security.SHA hashFrom: aString asByteArray readStream

I tried it for both Squeak and VW. It works extremely fine, and it's
very secure :)

> 
> I would rather use simpler MD5 hash, it is easier to implement and 
> therefore more portable. And Sport can maybe be extended once with MD5, 
> because Bruce Badger uses MD5 in his PostgreSQL driver.
> 
> I know I know, MD5 is supposed to be broken already, but common, guys, 
> be reasonable...
> 
> Best regards
> JAnko
> 
> 
-------------- section suivante --------------
Une pi�ce jointe non texte a �t� nettoy�e...
Nom: non disponible
Type: application/pgp-signature
Taille: 189 octets
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url: http://lists.aidaweb.si/pipermail/aida/attachments/20080207/783c8c0f/attachment.sig 


More information about the Aida mailing list