• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Secure storage of passwords or credit card data
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure storage of passwords or credit card data

  • Subject: Re: Secure storage of passwords or credit card data
  • From: Ramsey Gurley <email@hidden>
  • Date: Mon, 09 Nov 2015 09:53:33 -0700
Hi Markus,

As others have mentioned, don’t store CC data unless you really really have to. You make a system compromise so much worse if you’ve got CC stuff lying around. That said, there’s ERXCryptoString and the ERPrototype by the same name.

For password hashing, the new state of the art is Argon2. Google held a password hashing competition and this is the winner.

https://password-hashing.net/

For java, it looks like you just compile the C and Runtime.exec() the thing. I’ll be most interested in seeing this implemented in a browser (a new <password> tag perhaps?) and/or ported to Javascript, because I’ve had a change of heart about password hashes recently. Remember that there are three factors to authentication,

Something only you are (biometrics)
Something only you have (yubikey)
Something only you know (password)

How is it something *only* you know if you’ve just uploaded it as plaintext to some stranger's server on the www? In short, I think hashing should be done client side. The salt could be generated using username+domain or something. This would also distribute the workload of the slow hash out to the clients, preventing the need to have some gigantic beefy password hashing machine.

Ramsey

On Nov 4, 2015, at 2:40 AM, Markus Ruggiero <email@hidden> wrote:

> Folks,
>
> another quick question: what are you using for secure storage of passowords and credit card data in a Wonder app? Is there anything in Wonder (probably there is, but it is not always easy to find things), or are you using other things/libs/code? Any code examples?
>
> Thanks for any hint / pointer /example
> ---markus---
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Secure storage of passwords or credit card data
      • From: Markus Ruggiero <email@hidden>
References: 
 >Secure storage of passwords or credit card data (From: Markus Ruggiero <email@hidden>)

  • Prev by Date: Deployment with Tomcat 8 (and beyond)
  • Next by Date: Report Generator
  • Previous by thread: Re: Secure storage of passwords or credit card data
  • Next by thread: Re: Secure storage of passwords or credit card data
  • Index(es):
    • Date
    • Thread