• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Secure storage of passwords or credit card data
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure storage of passwords or credit card data

  • Subject: Re: Secure storage of passwords or credit card data
  • From: Markus Ruggiero <email@hidden>
  • Date: Tue, 10 Nov 2015 17:07:14 +0100
Thanks all who responded. I got some great ideas.

Just to make all of you feel better - I don't intend to store any CC numbers (just used it as an example) and I am fully aware that one should never ever store passwords but only some cryptographic hashes - and that was what I was looking for - ideas on how to accomplish this.

Again thank you all.
---markus---

> On 09.11.2015, at 17:53, Ramsey Gurley <email@hidden> wrote:
>
> Hi Markus,
>
> As others have mentioned, don’t store CC data unless you really really have to. You make a system compromise so much worse if you’ve got CC stuff lying around. That said, there’s ERXCryptoString and the ERPrototype by the same name.
>
> For password hashing, the new state of the art is Argon2. Google held a password hashing competition and this is the winner.
>
> https://password-hashing.net/
>
> For java, it looks like you just compile the C and Runtime.exec() the thing. I’ll be most interested in seeing this implemented in a browser (a new <password> tag perhaps?) and/or ported to Javascript, because I’ve had a change of heart about password hashes recently. Remember that there are three factors to authentication,
>
> Something only you are (biometrics)
> Something only you have (yubikey)
> Something only you know (password)
>
> How is it something *only* you know if you’ve just uploaded it as plaintext to some stranger's server on the www? In short, I think hashing should be done client side. The salt could be generated using username+domain or something. This would also distribute the workload of the slow hash out to the clients, preventing the need to have some gigantic beefy password hashing machine.
>
> Ramsey
>
> On Nov 4, 2015, at 2:40 AM, Markus Ruggiero <email@hidden> wrote:
>
>> Folks,
>>
>> another quick question: what are you using for secure storage of passowords and credit card data in a Wonder app? Is there anything in Wonder (probably there is, but it is not always easy to find things), or are you using other things/libs/code? Any code examples?
>>
>> Thanks for any hint / pointer /example
>> ---markus---
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list      (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Secure storage of passwords or credit card data (From: Markus Ruggiero <email@hidden>)
 >Re: Secure storage of passwords or credit card data (From: Ramsey Gurley <email@hidden>)

  • Prev by Date: Re: Deployment with Tomcat 8 (and beyond)
  • Next by Date: ERCoreBL's ERCAuditTrail - How do I use this?
  • Previous by thread: Re: Secure storage of passwords or credit card data
  • Next by thread: RE: Build Path issue - unbound Wonder frameworks
  • Index(es):
    • Date
    • Thread