Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

HUGE security problem in A5 web security :shocked:

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    HUGE security problem in A5 web security :shocked:

    Hi everyone,

    I have been developing my apps myself and recently got some professional programmers to do some more difficult code for me. These programmers were not familliar with A5 but have for the last few months got to know the system very well.

    This week we discussed security of Alpha and handling of the passwords. When they realised how alpha web security handles passwords I was strongly recommended to take our whole production app offline until we have looked into a soution(!). The problem is that I can easily retrieve the passwords with some simple alpha coding. To explain it to (an idiot like) me they found a good explanation in a youtube video, at 2:50 they describe the method used by alpha (if you want to save three minutes, which is still a good introduction):

    https://www.youtube.com/watch?v=8ZtInClXe1Q

    The only way we can fix the problem is to give everyone random passwords and not giving them the options to change them. Not a good solution in the long run but this is what we will do temporarily. Another option would be to force everyone to log in with google or similar, but I can't do this as we provide logins to all different peopkle and we can't force them to have facebook or gmail accounts.

    Is there an update regarding the security in A5 on the way? The system used seems to be very old. Maybe even an option to use two way authentification which is getting more and more common?

    #2
    Re: HUGE security problem in A5 web security

    Well, it's hard to know what to make of this with the limited information you provide.

    Alpha is not supporting v11, sadly.

    And, unless you provide them with some technical information in an email, they probably won't do anything in v12 either.
    Peter
    AlphaBase Solutions, LLC

    [email protected]
    https://www.alphabasesolutions.com


    Comment


      #3
      Re: HUGE security problem in A5 web security

      The problem is simply that all passwords are kept with two way encryption and can quite easily be hacked and retrieved (I thought the video would explain that, sorry). Anyone with the key (for example my programmers) could easily retrieve all passwords from the database which in many cases would be the same as the user's email password etc, it would be fairly simple for these guys to hack into many people's email accounts etc. Yes, I do have papers signed with all developers so they can�t do this without being kept responsible, but the same could happen if (when) someone hacks your database. I just don't want to stand responsible for being the one leeking all my client's passwords so now we are not giving anyone the option to choose their own password - problem "solved"!

      I think the video above is really worth watching, the method used by alpha is explained from around 2:40 but the whole video is interesting.

      Or maybe I have missed something and you can choose different methods for encrypting passwords in Alpha?

      Comment


        #4
        Re: HUGE security problem in A5 web security

        And sorry for posting in wrong forum, this is still a problem in latest versions.

        Comment


          #5
          Re: HUGE security problem in A5 web security

          Thanks. I watched the video. I don't know which method Alpha uses to encrypt, but clearly you do. The thing is that Alpha offers a whole group of security functions, but I don't believe you can customize web security to use them. However, you can create your own custom login/encryption schema. The key would be to somehow tie it to A5 security for a5w pages & web components. Haven't thought that through but that might be possible.

          See these for security details:

          http://wiki.alphasoftware.com/Encryption+Algorithms
          http://wiki.alphasoftware.com/Encryption+Functions
          Peter
          AlphaBase Solutions, LLC

          [email protected]
          https://www.alphabasesolutions.com


          Comment


            #6
            Re: HUGE security problem in A5 web security

            Robert,

            If your consultants have actually done what you fear I hope you'll contact tech support at Alpha Software privately to let them know. If your consultants are advising you to spend serious money without actually demonstrating a deficiency, well, then, how you spend your money is your business I suppose.

            In any case it's unlikely Alpha will discuss the specifics of their security system in this public forum.

            Comment


              #7
              Re: HUGE security problem in A5 web security

              Thanks for both your feedback!

              Just so we are clear, my programmers is not asking for any money about this. It is a simple fix to remove the possiblity to use your own password so there is no personal gain for them (simple stuff like that I do myself). I can now see that my old posts can easily be misunderstood regarding this and i is a fair point :)

              How they found out was that I lost my password and was able to retrieve it using a simple xbasic function, they were shocked that I could retrieve the password and sent me the video on how not to store passwords. The rest of the actions were initiated by me.

              How I know the method used for storing passwords? I can decrypt the password using the a5_decrypt_string() method, it should not be possible to decode the passwords at all if it was done properly.

              The problem to me is that I was under the false impression that the alpha web security was secure, but looking into it there is so much information on how passwords should be kept so I am a bit suprised that alpha is not using these methods, it is nothing new...

              Comment


                #8
                Re: HUGE security problem in A5 web security

                in order for someone to get the password they should have access to the key, which alpha uses to encrypt. and it can be 64 character long auto generated combination key. while this is not perfect ( I doubt any system is perfect, otherwise banks won't be losing billions. ) it is rather difficult to generate 64 character combination to hack thru to steal password. at least that what I think. I am not a pro.
                if you know the key you can recover the password as it happened in your case, that is not to say the security is weak. you should know the key in the first place.
                I am in no way defending alpha security system, my knowledge is not that extensive, but I am just stating what I have learned so far using alpha.
                thanks for reading

                gandhi

                version 11 3381 - 4096
                mysql backend
                http://www.alphawebprogramming.blogspot.com
                [email protected]
                Skype:[email protected]
                1 914 924 5171

                Comment


                  #9
                  Re: HUGE security problem in A5 web security

                  Robert,

                  I just tried to decrypt a password in one of my dbs using a5_decrypt_string(). I passed in the encryption key and Alpha would not decrypt it. It gave me back a message - see image.

                  A5 pwd decrypt failure.png

                  So where am I going wrong?
                  Peter
                  AlphaBase Solutions, LLC

                  [email protected]
                  https://www.alphabasesolutions.com


                  Comment


                    #10
                    Re: HUGE security problem in A5 web security

                    Maybe there are good reasons why Alpha do not use some Microsoft .Net funtions to build one way passwords I suppose they prefer xbasic.

                    Comment


                      #11
                      Re: HUGE security problem in A5 web security

                      dim pw as c
                      pw = "gan4629"
                      dim enc_pw as c
                      enc_pw = encrypt_string(pw,"a405c845244544a8b227a3f56e031beb")
                      ?enc_pw
                      = ">!I/r72"

                      dim dec_pw as c
                      dec_pw = decrypt_string(enc_pw,"a405c845244544a8b227a3f56e031beb")
                      ?dec_pw
                      = "gan4629"
                      it does here. as I said you need the key first, guessing 64 character key is rather difficult, I hope.
                      thanks for reading

                      gandhi

                      version 11 3381 - 4096
                      mysql backend
                      http://www.alphawebprogramming.blogspot.com
                      [email protected]
                      Skype:[email protected]
                      1 914 924 5171

                      Comment


                        #12
                        Re: HUGE security problem in A5 web security

                        Originally posted by GGandhi View Post
                        it does here. as I said you need the key first, guessing 64 character key is rather difficult, I hope.
                        Gandhi,

                        What you did works, but what I did was pull the encrypted pwd from the sql table on a web site. I know the e-key. But it won't decrypt. So Alpha is doing something different. I would like further comment from Robert.

                        Also, perhaps you could test against you own web site assuming you use encryption?
                        Peter
                        AlphaBase Solutions, LLC

                        [email protected]
                        https://www.alphabasesolutions.com


                        Comment


                          #13
                          Re: HUGE security problem in A5 web security

                          Peter,
                          Maybe the pw in the sql table is encrypted twice ? first by Alpha then by SQL ? The video Robert refers to is talking about hashing & salting instead of encrypting, given the fact that many major companies indeed still store your pw unencrypted (they even email it to you in plain text like the guy says in the video - and we all see that happen) I think that wit Alpha you're already far better off than in many other systems so I think the title of his posting is a little disturbing/exagerated. Let's also not forget that a good password begins with the user; the Adobe hack revealed that many,many users were simply using "1234" as their password if I remember well...
                          Frank

                          Tell me and I'll forget; show me and I may remember; involve me and I'll understand

                          Comment


                            #14
                            Re: HUGE security problem in A5 web security

                            I created a new user, assigned a password, copied the encrypted password from the SQL table, and feed it into a5_decrypt_string() along with the encryption key stored in the Security settings.

                            Yes, it successfully decrypted the password for me.
                            Andrew

                            Comment


                              #15
                              Re: HUGE security problem in A5 web security

                              Frank, below are a couple of recent articles regarding most common passwords:

                              http://splashdata.com/press/worst-passwords-of-2014.htm

                              http://gizmodo.com/the-25-most-popul...-us-1504852434

                              http://arstechnica.com/security/2015...ts-misleading/

                              Andrew, I wonder why it works for you and not for me? I'll have to test again on another site.
                              Peter
                              AlphaBase Solutions, LLC

                              [email protected]
                              https://www.alphabasesolutions.com


                              Comment

                              Working...
                              X