You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cayenne.apache.org by Robert Zeigler <ro...@gmail.com> on 2008/08/07 19:13:50 UTC
hashing, best practices?
Hi all,
Up to this point, whenever I've had to store hashed text (say, the
hashed from of a password) in the db, I've simply hashed in code.
But the question arose the other day of how you would go about doing
this on the database sided (assuming your target db supports your
target hash function).
Say, for example, you have the following table:
users
id integer
username varchar('32')
password varchar('40')
And you want to hash the password as sha1.
Using mysql and straight sql, you would do something like:
insert into users (id,username,password)
values(1,'userx',sha1('usery'));
Is there some way to get cayenne to generate this same sql when
inserting new rows?
Or, for example, when cayenne detects a diff in password, and does an
update users set password=..., to have it do
password=sha1('newpassword')?
Of course, I can hash the password in code... but it would be nice if
cayenne could somehow manage this for me.
And I could do some sort of ugly hack like having a post-persist
callback that executes sqltemplate to sha1-hash the value of the newly
inserted row... but that really is ugly.
Surely I'm not the only one who hashes passwords in the database. ;)
What are other people doing here? Does everyone just handle the
hashing in code, like I've been doing up until now?
Robert
Re: hashing, best practices?
Posted by Robert Zeigler <ro...@gmail.com>.
Yeah, that's what I've always done, as well.
I was just sitting here wondering if there was a way to take advantage
of the db functions.
Ah well. Thanks!
Robert
On Aug 7, 2008, at 8/72:00 PM , Michael Gentry wrote:
> I've done it in code. If your Java side is the same as the DB side,
> it really doesn't much matter (like using SHA1). (If you want someone
> to be able to reset the password from the SQL command-line, for
> example). Doing it in code seems fine to me. Create a setPassword()
> cover method in Users.java that hashes it and sets it in the parent:
>
> public void setPassword(String newPassword)
> {
> super.setPassword(sha1(newPassword));
> }
>
> This way you toss the plain-text password quickly. Also, if it is set
> to the original password, Cayenne will skip it as a changed value.
>
> I've also used this technique with encryption, too. You have to
> override the set/get methods for the encrypted fields (say, a social
> security number or a credit card number). It is a little more work to
> do queries on encrypted fields, of course.
>
>
> On Thu, Aug 7, 2008 at 1:13 PM, Robert Zeigler <robert.zeigler@gmail.com
> > wrote:
>> Hi all,
>>
>> Up to this point, whenever I've had to store hashed text (say, the
>> hashed
>> from of a password) in the db, I've simply hashed in code.
>> But the question arose the other day of how you would go about
>> doing this on
>> the database sided (assuming your target db supports your target hash
>> function).
>> Say, for example, you have the following table:
>>
>> users
>> id integer
>> username varchar('32')
>> password varchar('40')
>>
>> And you want to hash the password as sha1.
>>
>> Using mysql and straight sql, you would do something like:
>>
>> insert into users (id,username,password)
>> values(1,'userx',sha1('usery'));
>>
>> Is there some way to get cayenne to generate this same sql when
>> inserting
>> new rows?
>> Or, for example, when cayenne detects a diff in password, and does
>> an update
>> users set password=..., to have it do password=sha1('newpassword')?
>>
>> Of course, I can hash the password in code... but it would be nice if
>> cayenne could somehow manage this for me.
>>
>> And I could do some sort of ugly hack like having a post-persist
>> callback
>> that executes sqltemplate to sha1-hash the value of the newly
>> inserted
>> row... but that really is ugly.
>>
>> Surely I'm not the only one who hashes passwords in the
>> database. ;) What
>> are other people doing here? Does everyone just handle the hashing
>> in code,
>> like I've been doing up until now?
>>
>> Robert
>>
Re: hashing, best practices?
Posted by Michael Gentry <bl...@gmail.com>.
Yeah, I was drastically simplifying, but didn't mention it.
On Thu, Aug 7, 2008 at 8:26 PM, Aristedes Maniatis <ar...@ish.com.au> wrote:
>
> On 08/08/2008, at 5:00 AM, Michael Gentry wrote:
>
>> public void setPassword(String newPassword)
>> {
>> super.setPassword(sha1(newPassword));
>> }
>
> That's close to what we do too. Some small caveats:
>
> * think carefully about how you implement validation like 'password length
> is more than 4 characters' since the hash will always be more than 4
> characters
>
> * salt the password before hashing it (for example with the username and
> some other random string) otherwise you make it easy for someone to change
> the database value to a known password. That is, the password 'mypass'
> should hash to two different results for two different users.
>
> * make sure you don't getPassword and then setPassword somewhere in your
> code otherwise you'll keep rehashing the hashed version.
>
> Cheers
>
> Ari
>
>
>
> -------------------------->
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001 fax +61 2 9550 4001
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
>
>
>
Re: hashing, best practices?
Posted by Aristedes Maniatis <ar...@ish.com.au>.
On 08/08/2008, at 5:00 AM, Michael Gentry wrote:
> public void setPassword(String newPassword)
> {
> super.setPassword(sha1(newPassword));
> }
That's close to what we do too. Some small caveats:
* think carefully about how you implement validation like 'password
length is more than 4 characters' since the hash will always be more
than 4 characters
* salt the password before hashing it (for example with the username
and some other random string) otherwise you make it easy for someone
to change the database value to a known password. That is, the
password 'mypass' should hash to two different results for two
different users.
* make sure you don't getPassword and then setPassword somewhere in
your code otherwise you'll keep rehashing the hashed version.
Cheers
Ari
-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Re: hashing, best practices?
Posted by Michael Gentry <bl...@gmail.com>.
I've done it in code. If your Java side is the same as the DB side,
it really doesn't much matter (like using SHA1). (If you want someone
to be able to reset the password from the SQL command-line, for
example). Doing it in code seems fine to me. Create a setPassword()
cover method in Users.java that hashes it and sets it in the parent:
public void setPassword(String newPassword)
{
super.setPassword(sha1(newPassword));
}
This way you toss the plain-text password quickly. Also, if it is set
to the original password, Cayenne will skip it as a changed value.
I've also used this technique with encryption, too. You have to
override the set/get methods for the encrypted fields (say, a social
security number or a credit card number). It is a little more work to
do queries on encrypted fields, of course.
On Thu, Aug 7, 2008 at 1:13 PM, Robert Zeigler <ro...@gmail.com> wrote:
> Hi all,
>
> Up to this point, whenever I've had to store hashed text (say, the hashed
> from of a password) in the db, I've simply hashed in code.
> But the question arose the other day of how you would go about doing this on
> the database sided (assuming your target db supports your target hash
> function).
> Say, for example, you have the following table:
>
> users
> id integer
> username varchar('32')
> password varchar('40')
>
> And you want to hash the password as sha1.
>
> Using mysql and straight sql, you would do something like:
>
> insert into users (id,username,password) values(1,'userx',sha1('usery'));
>
> Is there some way to get cayenne to generate this same sql when inserting
> new rows?
> Or, for example, when cayenne detects a diff in password, and does an update
> users set password=..., to have it do password=sha1('newpassword')?
>
> Of course, I can hash the password in code... but it would be nice if
> cayenne could somehow manage this for me.
>
> And I could do some sort of ugly hack like having a post-persist callback
> that executes sqltemplate to sha1-hash the value of the newly inserted
> row... but that really is ugly.
>
> Surely I'm not the only one who hashes passwords in the database. ;) What
> are other people doing here? Does everyone just handle the hashing in code,
> like I've been doing up until now?
>
> Robert
>