Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Password Encryption (Alpha Implementation)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    Re: Password Encryption (Alpha Implementation)

    Originally posted by frankbicknell View Post
    Thanks Scott,

    Any idea of where I can find the help on that? I searched the local, online, and wiki help files and got no hits.
    Code:
     'try to insert hte web user
    	           	dim usrP as P
    				dim usrP.guid as C
    				dim usrP.userid as C
    				dim usrP.email as C
    				dim usrP.ulink as C
    				dim usrP.password as C
    				dim usrP.groups as C
    					                                                                                                                                                                                                                                                                                                                                   
    				usrP.guid="";
    				usrP.userid=tuser_email
    				usrP.email=tuser_email
    				usrP.password=ranpass
    				usrP.ulink=perID
    					                                                                                                                                                                                                                                                
    				dim output as P
    				dim output.controls as P
    				dim output.controls.guid.value as C
    				dim resP as P
    					
    				resP=a5ws_save_webuser_values(output,usrP);
    				
    				if resP.errors==.f. then
    
                                    else
                                    end if
    The flow is something like this:
    Alpha will insert into the active link tables
    Something internally will trigger the active link tables to write to your SQL database
    Scott Moniz - Computer Programmer/Analyst
    REA Inc.
    http://reainc.net
    (416)-533-3777
    [email protected]

    REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
    If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
    contact us to discuss options.

    Comment


      #32
      Re: Password Encryption (Alpha Implementation)

      What i wanted to do was instead of hte code above use this

      'open connection
      'begin transaction
      'insert record into person table
      'insert record into security table
      args.set("password", a5ws_encrypt_my_pass(randompass)) 'this password is sent to the user in an email - i never see it and its randomly generated from a 8-12character substring of a guid
      sql="INSERT INTO websecurity_users (user_id,password,ulink) VALUES (:user_id,:password,:ulink)
      'insert other user configuration records

      'if error, rollback
      'if not, commit

      The function in bold does not exist. So there is no way for a developer to hash/encrypt the password one way.

      SCENARIO:
      I have a system named System #3. System #3 is a management system and needs to be able to add users into websecurity for System #1 and System #2.
      Each system has its own set of websecurity_* tables.

      As far as I see, this cannot be done (as there is no method I can use to encrypt random passwords with a certain security key).
      Any thoughts?
      Scott Moniz - Computer Programmer/Analyst
      REA Inc.
      http://reainc.net
      (416)-533-3777
      [email protected]

      REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
      If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
      contact us to discuss options.

      Comment


        #33
        Re: Password Encryption (Alpha Implementation)

        Thanks again Scott, I will play with that for a while. I really missed the boat on this one. What is the point of the sql tables? I thought it was to allow us to make a user interface with a better performing, more robust database, which I have done with unencrypted passwords. That really limits the use of the sql web security tables. I'm with you on this one. There needs to be a method to encrypt a plain text string in a password field so that you can query the sql table for a password match.
        Win 10 64 Development, Win 7 64 WAS 11-1, 2, Win 10 64 AA-1,2, MySql, dbForge Studio The Best MySQL GUI Tool IMHO. http://www.devart.com/dbforge/mysql/studio/

        Comment


          #34
          Re: Password Encryption (Alpha Implementation)

          I don't understand why Alpha is trying to obfuscate their "encryption" techniques. It is well known that obfuscation is not security. What's the problem with using SHA-2 or something that is pretty secure, well tested and open to hash passwords?

          Alpha wants developers to trust them with security, but how can we trust them when they do things like this? What's also scary is that Alpha doesn't even know how it encrypts their current passwords. Jerry says v10 doesn't use a5_encrypt_string() but I can prove all day long that it does (which I already did with my previous screenshot). Stuff like this is exactly how companies get hacked bad.

          To me, when someone has something to hide (like how you encrypt or hash your password) is saying that your "homebrew" techniques are probably not secure or industry standard/proven.

          So I'm asking Alpha, open up your password encryption techniques and let crowd sourcing tell you if your secure or just blowing smoke or are you afraid what we might tell you.

          Comment


            #35
            Re: Password Encryption (Alpha Implementation)

            There needs to be a method to encrypt a plain text string in a password field so that you can query the sql table for a password match.
            This is simple. When a user signs up they do so using a registration form that you create. Capture the password at that point and save it to a second field, encrypted they way you want. I temporarily store the password a pending_user table (of sorts) between the time they register, and when they complete the double opt-in, then I move the password to the websecurity_users table using Alpha's functions, but I could also pass that to a second field.

            Then, when they change their password, they would be using a form that you create. Again capture the password and store it in that second field, encrypted the way you want.
            Steve Wood
            See my profile on IADN

            Comment


              #36
              Re: Password Encryption (Alpha Implementation)

              Originally posted by jdrake View Post
              I don't understand why Alpha is trying to obfuscate their "encryption" techniques. It is well known that obfuscation is not security. What's the problem with using SHA-2 or something that is pretty secure, well tested and open to hash passwords?

              Alpha wants developers to trust them with security, but how can we trust them when they do things like this? What's also scary is that Alpha doesn't even know how it encrypts their current passwords. Jerry says v10 doesn't use a5_encrypt_string() but I can prove all day long that it does (which I already did with my previous screenshot). Stuff like this is exactly how companies get hacked bad.

              To me, when someone has something to hide (like how you encrypt or hash your password) is saying that your "homebrew" techniques are probably not secure or industry standard/proven.

              So I'm asking Alpha, open up your password encryption techniques and let crowd sourcing tell you if your secure or just blowing smoke or are you afraid what we might tell you.
              Albeit harsh, Completely agree.
              Scott Moniz - Computer Programmer/Analyst
              REA Inc.
              http://reainc.net
              (416)-533-3777
              [email protected]

              REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
              If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
              contact us to discuss options.

              Comment


                #37
                Re: Password Encryption (Alpha Implementation)

                Originally posted by frankbicknell View Post
                Thanks again Scott, I will play with that for a while. I really missed the boat on this one. What is the point of the sql tables? I thought it was to allow us to make a user interface with a better performing, more robust database, which I have done with unencrypted passwords. That really limits the use of the sql web security tables. I'm with you on this one. There needs to be a method to encrypt a plain text string in a password field so that you can query the sql table for a password match.
                The point of the sql tables is to allow you to store users/groups/etc in mysql. This way you dont have to rely on dbfs. You can also make grids referencing the sql tables and this way everything is in 1 database instead of having to work with dbfs AND sql. I am using the save web user method and let alpha encrypt my passwords for me. However, I would have preferred to just write my own INSERT INTO yada yada. And I agree - you cant query for a password match unless you decide not to use Alpha's security methods.

                It looks like the more I code with Alpha - the more custom code I am writing and the less I am relying on their futures. If this was the case, I could have probably just coded in PHP.
                Oh well.
                Scott Moniz - Computer Programmer/Analyst
                REA Inc.
                http://reainc.net
                (416)-533-3777
                [email protected]

                REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
                If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
                contact us to discuss options.

                Comment


                  #38
                  Re: Password Encryption (Alpha Implementation)

                  Originally posted by Steve Wood View Post
                  This is simple. When a user signs up they do so using a registration form that you create. Capture the password at that point and save it to a second field, encrypted they way you want. I temporarily store the password a pending_user table (of sorts) between the time they register, and when they complete the double opt-in, then I move the password to the websecurity_users table using Alpha's functions, but I could also pass that to a second field.

                  Then, when they change their password, they would be using a form that you create. Again capture the password and store it in that second field, encrypted the way you want.
                  Steve, sorry, but I think your missing the point of what this function would allow. I dont want to use the save web user function - I would like the option to be able to encrypt the password ourselves - using alphas security system so that other aspects [groups,users,login components] can still be implemented. At the present time, the only way to do this would be to write a Get_Password() that would use the save_web_user_values - insert a user, read the password and return it, delete the user. This is such a waste of processing power.

                  Anyway - the function WOULD be useful to have.
                  I didn't mean to make a big deal about it - I just find it amazing that the function isnt exposed.

                  Just because the encryption method is exposed - does not mean that encryption will be cracked.
                  The encryption key is there to provide a random element to the encryption method and if you want to take it a step further.
                  The key can be salted with a random string - and this salt can be stored along with the data it was encrypting.

                  Key+Salt = encryption key
                  Scott Moniz - Computer Programmer/Analyst
                  REA Inc.
                  http://reainc.net
                  (416)-533-3777
                  [email protected]

                  REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
                  If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
                  contact us to discuss options.

                  Comment


                    #39
                    Re: Password Encryption (Alpha Implementation)

                    Originally posted by Steve Wood View Post
                    This is simple. When a user signs up they do so using a registration form that you create. Capture the password at that point and save it to a second field, encrypted they way you want. I temporarily store the password a pending_user table (of sorts) between the time they register, and when they complete the double opt-in, then I move the password to the websecurity_users table using Alpha's functions, but I could also pass that to a second field.

                    Then, when they change their password, they would be using a form that you create. Again capture the password and store it in that second field, encrypted the way you want.
                    Thanks for that.
                    Win 10 64 Development, Win 7 64 WAS 11-1, 2, Win 10 64 AA-1,2, MySql, dbForge Studio The Best MySQL GUI Tool IMHO. http://www.devart.com/dbforge/mysql/studio/

                    Comment


                      #40
                      Re: Password Encryption (Alpha Implementation)

                      Originally posted by jdrake View Post
                      I don't understand why Alpha is trying to obfuscate their "encryption" techniques. It is well known that obfuscation is not security. What's the problem with using SHA-2 or something that is pretty secure, well tested and open to hash passwords?

                      Alpha wants developers to trust them with security, but how can we trust them when they do things like this? What's also scary is that Alpha doesn't even know how it encrypts their current passwords. Jerry says v10 doesn't use a5_encrypt_string() but I can prove all day long that it does (which I already did with my previous screenshot). Stuff like this is exactly how companies get hacked bad.

                      To me, when someone has something to hide (like how you encrypt or hash your password) is saying that your "homebrew" techniques are probably not secure or industry standard/proven.

                      So I'm asking Alpha, open up your password encryption techniques and let crowd sourcing tell you if your secure or just blowing smoke or are you afraid what we might tell you.
                      I would like to echo this... Well said.

                      I think I got to the same place that Frank did and pondered the mechanics of writing my own log in control. Went back to using a hybrid SQL and Alpha. Would like to see a crowd source option on this.

                      Regards,

                      Michael Carroll

                      www.redrocksbluesky.com
                      www.theminimalistrunner.com
                      [email protected]
                      435-275-5170

                      Comment


                        #41
                        Re: Password Encryption (Alpha Implementation)

                        I've seen the term "crowd source" a couple time here, what is that?
                        Steve Wood
                        See my profile on IADN

                        Comment


                          #42
                          Re: Password Encryption (Alpha Implementation)

                          Originally posted by Steve Wood View Post
                          I've seen the term "crowd source" a couple time here, what is that?
                          Its a combination of crowd and outsourcing, basically crowd outsourcing. I was using it to describe a standard practice, especially for a software framework, to document and publish how the internal security works and let people on the internet point out and flaws or mistakes. For example, Google gives up to $3000 to a person if they find a security flaw in their chrome browser. In crowd sourcing, payments are completely optional but do provide some incentive to actually report a bug you find.

                          From what I gather, Alpha Software does not want to do this for whatever their reasons. Since I've never seen Alpha Software describe what these reasons are, I can only give educated guesses.
                          1. I think they don't want us (developers) to mess with their security functions and use them improperly and actually make our program less secure. Which can be easily stopped if they gave good documentation and examples.
                          2. They are also acting a little ignorant, they tell us their product is secure and to just trust them, then once you get over that, drink this tasty punch they just made.


                          They will probably bypass this whole issue, if the buzz is true, and move to IIS and then pass the security buck to Microsoft. I would say this is a good thing, IIS has crowd sourcing from millions of security professionals around the world analyzing it for bugs.

                          Comment


                            #43
                            Re: Password Encryption (Alpha Implementation)

                            Originally posted by jdrake View Post
                            They are also acting a little ignorant, they tell us their product is secure and to just trust them, then once you get over that, drink this tasty punch they just made.
                            I hope the punch doesnt have any funny stuff in it =)
                            Scott Moniz - Computer Programmer/Analyst
                            REA Inc.
                            http://reainc.net
                            (416)-533-3777
                            [email protected]

                            REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
                            If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
                            contact us to discuss options.

                            Comment

                            Working...
                            X