I'm trying to retrieve the value of the HTTP password field for users with an specific password then the encrypted value is fine, if that password is found then change it to something else. It does change the password even is it doesn't match the encrypted value i have in the compare formula
Here is what I have so far
#If(#Compare(#GetDocField(#DocumentUniqueID;HTTPPassword);"7CCA9F186090ADEC4FA2A545B35F899A")
;#SetDocField(#DocumentUniqueID; "HTTPPassword"; "Newpassword");"");
SELECT #All
Any Help is greatly appreciated, this is for my work data security group. I need to change a bunch of compromised passwords.
A much simpler formula would be
FIELD HTTPPassword := #If(HTTPPassword = "(7CCA9F186090ADEC4FA2A545B35F899A)"; #Password("NewPassword"); HttpPassword);
That said, writing code may not be the best way of doing this particular task. See here for an alternative.
Related
We have built an integration between Netsuite and our external system. We want to store the external system's credentials on the employee record but I'm having a really difficult time understanding how the password field type is supposed to work.
The documentation states "When validating, you pull the encrypted password value into a hidden field and use custom code to encrypt the value the user typed and compare it with the actual encrypted value."
But aside from this I don't feel like I have a solid idea on what the proper implementation should be.
So essentially I ended up doing what prasun did. One thing I did do what still create a password type field and add a client script on record save to encrypt the entered password and insert the value into another plain text field that was not displayed on the UI. This had the desired user experience to fulfill my requirements (showing the standard password field). From there, we just decrypted the encrypted field (the one we copied our password into and encrypted) during run time. So it's a little bit of a round about trip but it is working and in no place is the password being stored in plain text which was our desired goal!
or you can create a password fiels in plain text and can hide that field.The security level is low but still we can implement it with less effort.
I'd like to create a SecretEncryptionKeys dialog list field which prepopulates with the names of the available document keys in the current ID. Is there a way to do so? I cannot seem to find one in the documentation. (I can find #Command([UserIDEncryptionKeys]), but that just opens the Encryption dialog.)
This is a follow-on to Is it possible to programmatically tell Lotus Notes to generate a new secret key? , since I don't want the people who instantiate the new database to have to edit the forms involved to set the default encryption key. If they do, the next time the design on the database instance is refreshed from the template the settings will be overwritten.
The last time I checked in with IBM engineers about this, the answer was no. That was probably about 10 years ago, however I just took a quick look at the Notes 9 API Reference and I don't see anything there that would expose the list of keys, so I suspect that the answer is still no.
Actually, i have this url http://mydomain.fr/user/1 in my web application. I think it is not very safe
I would hide the id which is auto_increment.
To not be able to do that:
http://mydomain.fr/user/1
http://mydomain.fr/user/2
http://mydomain.fr/user/3
http://mydomain.fr/user/4
http://mydomain.fr/user/[...]
I do not know which technique to use...
Hash MD5 stored beside primary key
UUID / GUID
I use MySQL.
You should restrict access to URLs based on authentication. Just making it 'hard to guess' an ID will not prevent someone from accessing another user's page or, e.g., deleting an unexpected user. Basically, anyone will be able to access any URL unless you provide some access control.
I think generate a random unique string for a user is the best way.
simply use sha1 hash should be ok.
There is no way properly to hide it, you can generate unique ID with a long random hashed string, it's harder to guest. Basically that won't prevent someone to access other's ID.
OP may be concerned with divulging the primary keys because it could leak information into how many of a certain resource exists.
For example, if he is building a web app and someone creates an account and sees a url of domain.fr/user/23 they will know they have created an account on an application with low adoption.
My suggestion would be to either use a GUID value as suggested above or a username that is constrained to be unique.
If you use a GUID, it will look ugly, but make sure to not just use the beginning part as you could greatly increase the chance of collision since the first 60 bits are based on the timestamp.
If you use a unique username, your url would instead look like domain.fr/user/username
I know this is easily done on RoR.
Why is the password-argument required for cfloginuser-tag and what is it used for? I don't know the clear password in my application, because I'm using password-hash & salt to identify a user at login.
Documentation
You really don't need to know the clear password. If you have already executed the logic to login the user, you should already have the hashed password, simply use that. Or, you could even use createUUID() as the password attribute (this is better as the value stored with cflogin will have nothing to do with the user at all).
Point is, it does not matter what you use as ColdFusion does not use that value for anything. I would, however, caution against using the password the user types in, its never a good idea to store the raw, unhashed password anywhere.
I agree. It doesn't make much sense. I do use hash & salt technique too. In the past, I've just set the password attribute of the cfloginuser tag to the value the user has typed in for their password.
An email confirmation gets sent when my website users making a booking. I have been requested to add a "Having trouble viewing this email?" link to the top which links to the email on the website.
I'm having trouble wondering how I should generate a link so the user could view this email.
Note that I am using a third party booking system which gives me a confirmation code such as: 12345BE913913 where 12345 is the property and BE is always BE and 913913 is a secondary number.
I'm wondering if I could just hash this number and make that the link? Eg sha1('12345BE913913') which turns into 070bae598f481351e24975d6509fc0a73cad9a17
And then the link in the email becomes something like href="http://blah.com/email/view/070bae598f481351e24975d6509fc0a73cad9a17
Question #1: Is this a pretty standard, secure way of doing it?
If so, I have one other concern... I would need to pull in this information in order to generate the email in my email/view. The web service only accepts the confirmation code, so I would have to feed the original one, 12345BE913913 to it. So I can't simply grab all the confirmation codes, sha1 them all and see which one equates to 070bae598f481351e24975d6509fc0a73cad9a17.
Question #2: Is my only option to get the booking information through the webservice that accepts the original confirmation code, to create a local database storing all the confirmation codes, and then get all of them SHA1'd and see if it equates to 070bae598f481351e24975d6509fc0a73cad9a17 to pull it up? It's not safe to use the actual confirmation code in the email, is it?
Why not pass both the confirmation number (as the primary key) and a MAC associated with it (to prevent people from guessing URLs.
URL Generation Pseudocode:
$mac = HMAC_SHA1($server_secret, $confCode);
$url = "http://$baseURL?conf=$confCode&m=$mac";
Email Display Pseudocode:
$mac = getParam("m");
$confCode = getParam("conf");
$expectedMac = HMAC_SHA1($server_secret, $confCode);
if($mac != $expectedMac) { # Or in real perl, ne instead of !=
return errorPage();
}
return email($confCode);
Why use SHA1 if you need the operation to be reversible? Why not instead encrypt it using a symetric algorithm such as Twofish to generate the URL. You can decrypt it on the server side using your key to recover the original confirmation code, then send the confirmation code to the 3rd party booking system. Since nobody else has your key, nobody else can recover the confirmation code.
Hashing the real identifier, and storing the hash as the key in a table to the original value for "reverse lookup" is a conventional approach.
That isn't the only option, however. You could encrypt the confirmation code. Since the confirmation codes are short and, and (I'm presuming) unique, it would be alright to use ECB mode with a block cipher, which would keep the resulting cipher text short (16 bytes instead of SHA-1's 20 bytes).
The caveat with ECB is that the same confirmation code will always produce the same cipher text. Most likely, a code is only sent in a single email; but, if it is sent more than once, an attacker would be able to determine that the email relates to the same confirmation code (but they wouldn't be able to determine the confirmation code itself).
I'm not sure what you mean by "safe". What can someone do with the confirmation number? Would they be able to use the hash to get the confirmation number from your site? Unless you use S/MIME (or PGP), an email is not private; assume an attacker can read email.