Our method of encrypting user passwords needs some (major) improvement. using the PBKDF2 algoritme seems to be the industry standard on the internet nowadays, but Openedge 11.3 doesn't support that if i understand the knowledgebase correctly. What type of algoritmes are you using to meet the ever increasing compliancy rules?
OpenEdge does not encrypt passwords except in its _user table test accounts and the Domain access code used for Client-Pirncipal token generation, neither of which do not meet any industry standard. The language does support, for general use, some algorithms for message digest, symmetric encryption, and simple key generation. The language does not support any of the asymmetric algorithms, including the one you mention.
You will need to query OpenEdge product management for information relating to future plans in this space.
I'm not a crypto expert at all. But on Windows (GUI, TTY, AppServer) you could use .NET Libraries:
stackoverflow.com/.../hash-password-in-c-bcrypt-pbkdf2 or www.shawnmclean.com/.../simplecrypto-net-a-pbkdf2-hashing-wrapper-for-net-framework
It should be fairly simple to either build a custom .NET library to do so or translate the code into ABL.
[/collapse]Reply by Mike FechnerI'm not a crypto expert at all. But on Windows (GUI, TTY, AppServer) you could use .NET Libraries:
stackoverflow.com/.../hash-password-in-c-bcrypt-pbkdf2 or www.shawnmclean.com/.../simplecrypto-net-a-pbkdf2-hashing-wrapper-for-net-framework
It should be fairly simple to either build a custom .NET library to do so or translate the code into ABL.
Stop receiving emails on this subject.Flag this post as spam/abuse.
A couple of years ago I got some recommendations from Julio Vassallo on the peg. Allas, I never worked it out because the need for expired.
Julio Vassallo
2/14/13
to peg
Do not hash passwords with SHA. It wasn't meant for that. It's not a
*cryptographic* hashing algorithm. If you care about your users'
security you should use bcrypt: http://bcrypt.codeplex.com/
A salt is just something that gets added to the plaintext before you
call the hash function. E.g. instead of hash(password), you can salt
with the username by doing hash(username + password). In practice,
salts are usually some secret token that only you know about,
generated per-user (e.g. a UUID that gets stored as a column in the
User table). The main point of them is to break rainbow tables so
pretty much anything works for a salt.
to Julio, peg
Thanks Julio. Still thinking about this.
FYI: www.unlimitednovelty.com/.../dont-use-bcrypt.html
Julio Vassallo
2/20/13
to me, peg
Yeah, I saw that on HN when it was posted:
news.ycombinator.com/item (some great comments
there, including from Moxie Marlinspike and Thomas Ptacek)
You can use scrypt if you want, and it's theoretically stronger, but
it hasn't been out for as long as bcrypt and implementations are not
as widely available. PBKDF2 is worse than bcrypt.