Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Password Encryption (Alpha Implementation)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Password Encryption (Alpha Implementation)

    I have code that is written transactionally.
    I want to insert into websecurity_users (mysql security implementation).

    Everything works perfectly - but the password is still plain text.
    I need to encrypt this - using the same method alpha does - using the key defined in security.

    I have tried something of the sort:

    a5_encrypt_string("lFr+gp+A2/Ox3pEi1fOf5w==", "mysecuritykey")
    Lets say lFr+gp+A2/Ox3pEi1fOf5w== decrypted using "mysecuritykey" = ...mypassword.

    I need to be able to say
    dim encrypted_pass as C=a5_encrypt_string("mypassword", "mysecuritykey")
    This should equal: lFr+gp+A2/Ox3pEi1fOf5w== but it doesn't.


    The issue is that I do not know which algorithm alpha is using in their login system.
    I have gone through every encryption algorithm - even tried to base64decode my encrypted strings.


    I need to be able to decrypt/encrypt passwords without going through a a5ws_ function.

    If anyone has the answer please post.
    Or if it is sensitive information - please private message me.

    Much appreciated.
    Scott Moniz - Computer Programmer/Analyst
    REA Inc.
    http://reainc.net
    (416)-533-3777
    [email protected]

    REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
    If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
    contact us to discuss options.

    #2
    Re: Password Encryption (Alpha Implementation)

    Anyone?

    What is the point of using the sql websecurity tables?
    Why would this be sensitive information? I am the one holding the key.
    Win 10 64 Development, Win 7 64 WAS 11-1, 2, Win 10 64 AA-1,2, MySql, dbForge Studio The Best MySQL GUI Tool IMHO. http://www.devart.com/dbforge/mysql/studio/

    Comment


      #3
      Re: Password Encryption (Alpha Implementation)

      Originally posted by JerryBrightbill View Post
      If you are using the password encryption option, there is no method to obtain or see passwords in clear text. The main point of encryption is to prevent anyone from obtaining the actual password. With password recovery options, a registered user can only get their own password by the recovery option selected if they can be authenticated.

      The login component has a secure built in process to change passwords using the method you describe, if the option to allow password change is selected as suggested.
      I found this in another thread. It seems that I have misunderstood the purpose of the encryption. According to this the encryption is to protect the user not the system. My concern is could someone hijack the login process and be able to see the password that was entered in the login component in plain English if encryption is not enabled?
      Last edited by frankbicknell; 05-09-2011, 12:38 PM.
      Win 10 64 Development, Win 7 64 WAS 11-1, 2, Win 10 64 AA-1,2, MySql, dbForge Studio The Best MySQL GUI Tool IMHO. http://www.devart.com/dbforge/mysql/studio/

      Comment


        #4
        Re: Password Encryption (Alpha Implementation)

        Originally posted by frankbicknell View Post
        I found this in another thread. It seems that I have misunderstood the purpose of the encryption. According to this the encryption is to protect the user not the system. My concern is could someone hijack the login process and be able to see the password that was entered in the login component in plain English if encryption is not enabled?
        "My concern is could someone hijack the login process and be able to see the password that was entered in the login component in plain English if encryption is not enabled?"
        Yes - HTTP packet sniffer intercepting packets between a client computer and the server would possibly expose the password - as it is sent plain text over the network.

        "The main point of encryption is to prevent anyone from obtaining the actual password" - Even the freaking developer!
        I was told by Alpha that you cannot decrypt passwords - then what is the point of encryption - this is not really encryption - it is more hashing.
        http://www.phpbb.com/kb/article/diff...n-and-hashing/

        "Hashing, in cryptography, is the taking of a message and creating a new message in such a way that it cannot be reversed. There is simply no key for it to be unlocked."

        SO im really not sure whether alpha hashes or encrypts. But according to someone Ive talked to what I want to do just isnt possible.
        Technically I can write a function called encrypt_password() that would use a5ws_save_web_user_values to save a record, read the password, and insert it.
        THe reason I need to do this is that I need everything done as transactional sql - instead of mixing/matching function calls/sql procedures.
        And I also need a 3rd seperate application to insert users for 2 other applications - so im gonna be hitting some roadblocks.

        ALl i needed was to do this
        dim ranpass as C=substr(remspecial(api_uuidcreate()),1,8)
        and then encrypt it
        ranpass=a5ws_password_encrypt(ranpass)

        Ive been told theres no internal method to encrypt the password - I dont even CARE about decryption.
        Just wanted to encrypt - but, nope, not possible of course.
        :/
        Scott Moniz - Computer Programmer/Analyst
        REA Inc.
        http://reainc.net
        (416)-533-3777
        [email protected]

        REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
        If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
        contact us to discuss options.

        Comment


          #5
          Re: Password Encryption (Alpha Implementation)

          http://stackoverflow.com/questions/4...ion-algorithms

          More reading.
          Scott Moniz - Computer Programmer/Analyst
          REA Inc.
          http://reainc.net
          (416)-533-3777
          [email protected]

          REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
          If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
          contact us to discuss options.

          Comment


            #6
            Re: Password Encryption (Alpha Implementation)

            Originally posted by aburningflame View Post

            Ive been told theres no internal method to encrypt the password - I dont even CARE about decryption.
            Just wanted to encrypt - but, nope, not possible of course.
            :/
            Here is what Alpha web server is doing. To be honest this isn't even close to being secure. If your "key" gets found then a hacker could get all your passwords in plain text and if people use them for other things then they are in trouble. There have been many well documented high profile hacks of this. This is why people who really know security only use 1 way hashes, then the hacker would need to have lots of rainbow tables to figure out what the plain text is.

            a5_encrypt_string(password,key)

            a5_decrypt_string(password,key)

            Also, they are using the blowfish algorithm.

            Comment


              #7
              Re: Password Encryption (Alpha Implementation)

              Alpha isnt using a5_encrypt_string(password,key) and if they are - they are taking the key you specify in web security ald salting it somehow.

              Using a5_encrypt_string you will not be able to get the same result as alpha - they are definitely changing/adding to your key internally.
              Scott Moniz - Computer Programmer/Analyst
              REA Inc.
              http://reainc.net
              (416)-533-3777
              [email protected]

              REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
              If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
              contact us to discuss options.

              Comment


                #8
                Re: Password Encryption (Alpha Implementation)

                I just tested it again. What I said earlier is accurate for what I am seeing.

                I created a user test123 w/ a password of 123456test though the web projects control panel. I then went into the websecurity_users table and copied the value from the password field for this user and ran it though a5_decrypt_string() with my password encryption string that is listed in security options and it worked. No salt needed.

                Comment


                  #9
                  Re: Password Encryption (Alpha Implementation)

                  This is interesting - because this is the first thing I tried.
                  I will look again when I have the chance, but i could not a5_decrypt_string() a password that is encrypted (even when using the right string).

                  Did you have to base64encode or decode at any point?
                  Can you post the code showing your a5_decrypt and output?

                  Thanks for your help
                  Scott Moniz - Computer Programmer/Analyst
                  REA Inc.
                  http://reainc.net
                  (416)-533-3777
                  [email protected]

                  REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
                  If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
                  contact us to discuss options.

                  Comment


                    #10
                    Re: Password Encryption (Alpha Implementation)

                    I went into alpha sports and setup some quick security.

                    Attached is a screen shot of the a5_encrypt_string(), a5_decrypt_string(), and the websecurity_users table.
                    Attached Files

                    Comment


                      #11
                      Re: Password Encryption (Alpha Implementation)

                      very interesting. ill have to revisit this one sometime.
                      thanks for the screenshots.
                      Scott Moniz - Computer Programmer/Analyst
                      REA Inc.
                      http://reainc.net
                      (416)-533-3777
                      [email protected]

                      REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
                      If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
                      contact us to discuss options.

                      Comment


                        #12
                        Re: Password Encryption (Alpha Implementation)

                        Originally posted by jdrake View Post
                        I just tested it again. What I said earlier is accurate for what I am seeing.

                        I created a user test123 w/ a password of 123456test though the web projects control panel. I then went into the websecurity_users table and copied the value from the password field for this user and ran it though a5_decrypt_string() with my password encryption string that is listed in security options and it worked. No salt needed.
                        Alpha Five V9 and earlier just used a5_encrypt_string(). V10 does not use that method, but because V10 still had to run legacy projects created in earlier versions, it will still recognize a password encrypted with the V9 and earlier methods.

                        If you allow V10 to "encrypt" the password, your method will fail.

                        Comment


                          #13
                          Re: Password Encryption (Alpha Implementation)

                          Thank you Jerry I was just about to give that a try again.
                          Win 10 64 Development, Win 7 64 WAS 11-1, 2, Win 10 64 AA-1,2, MySql, dbForge Studio The Best MySQL GUI Tool IMHO. http://www.devart.com/dbforge/mysql/studio/

                          Comment


                            #14
                            Re: Password Encryption (Alpha Implementation)

                            Jerry, I don't understand, we are using V10 to test this. I just created a brand new test app in V10-latest patch and it decrypts exactly as stated in this discussion, using a5_decrypt_string(). I used SQL in the previous test, and DBF in this next test. The encryption key has to be long as in Frank's example.
                            Steve Wood
                            See my profile on IADN

                            Comment


                              #15
                              Re: Password Encryption (Alpha Implementation)

                              Originally posted by JerryBrightbill View Post
                              Alpha Five V9 and earlier just used a5_encrypt_string(). V10 does not use that method, but because V10 still had to run legacy projects created in earlier versions, it will still recognize a password encrypted with the V9 and earlier methods.

                              If you allow V10 to "encrypt" the password, your method will fail.
                              I think there is something going on here because I'm using 10.5 4091/3658 and just added this test user yesterday w/ this version. I have never used Alpha web server below 10.0

                              Comment

                              Working...
                              X