Search Results

Search found 298 results on 12 pages for 'salt'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 8/12 | < Previous Page | 4 5 6 7 8 9 10 11 12  | Next Page >

  • What are the weaknesses of this user authentication method?

    - by byronh
    I'm developing my own PHP framework. It seems all the security articles I have read use vastly different methods for user authentication than I do so I could use some help in finding security holes. Some information that might be useful before I start. I use mod_rewrite for my MVC url's. Passwords are sha1 and md5 encrypted with 24 character salt unique to each user. mysql_real_escape_string and/or variable typecasting on everything going in, and htmlspecialchars on everything coming out. Step-by step process: Top of every page: session_start(); session_regenerate_id(); If user logs in via login form, generate new random token to put in user's MySQL row. Hash is generated based on user's salt (from when they first registered) and the new token. Store the hash and plaintext username in session variables, and duplicate in cookies if 'Remember me' is checked. On every page, check for cookies. If cookies set, copy their values into session variables. Then compare $_SESSION['name'] and $_SESSION['hash'] against MySQL database. Destroy all cookies and session variables if they don't match so they have to log in again. If login is valid, some of the user's information from the MySQL database is stored in an array for easy access. So far, I've assumed that this array is clean so when limiting user access I refer to user.rank and deny access if it's below what's required for that page. I've tried to test all the common attacks like XSS and CSRF, but maybe I'm just not good enough at hacking my own site! My system seems way too simple for it to actually be secure (the security code is only 100 lines long). What am I missing? I've also spent alot of time searching for the vulnerabilities with mysql_real_escape string but I haven't found any information that is up-to-date (everything is from several years ago at least and has apparently been fixed). All I know is that the problem was something to do with encoding. If that problem still exists today, how can I avoid it? Any help will be much appreciated.

    Read the article

  • Start a git commit message with a hashmark (#)

    - by knittl
    Git treats lines starting with # as comment lines when committing. this is very annoying when working with a ticket tracking system, and trying to write the ticket number at the beginning of the line, e.g. #123 salt hashed passwords git will simply remove the line from the commit message. is there any way to escape the hash? i tried \ and !, but nothing works. whitespaces before # are preserved, so they aren't a working solution to the problem either.

    Read the article

  • Your creative PHP Obfuscation - Dynamic Variables

    - by Email
    Hi No thread about use or unuse of obfuscusion please ^^ Just share creative approaches how to obfuscate in php the really smart way plz. plain md5 and base64_decode is too static .. what you think regarding hash, salt what about dynamic Variables (even for the same $var). Thx for any creative input

    Read the article

  • making a password-only auth with bcrypt and mongoose

    - by user3081123
    I want to create service that let you login only with password. You type a password and if this password exists - you are logged in and if it's not - username is generated and password is encrypted. I'm having some misunderstandings and hope someone would help me to show where I'm mistaken. I guess, it would look somewhat like this in agularjs First we receive a password in login controller. $scope.signup = function() { var user = { password: $scope.password, }; $http.post('/auth/signup', user); }; Send it via http.post and get in in our node server file. We are provided with a compare password bcrypt function userSchema.methods.comparePassword = function(candidatePassword, cb) { bcrypt.compare(candidatePassword, this.password, function(err, isMatch) { if (err) return cb(err); cb(null, isMatch); }); }; So right now we are creating function to catch our http request app.post('/auth/signup', function(req, res, next) { Inside we use a compair password function to realize if such password exists or not yet. So we have to encrypt a password with bcrypt to make a comparison First we hash it same way as in .pre var encPass; bcrypt.genSalt(10, function(err, salt) { if (err) return next(err); bcrypt.hash(req.body.password, salt, function(err, hash) { if (err) return next(err); encPass=hash; )}; )}; We have encrypted password stored in encPass so now we follow to finding a user in database with this password User.findOne({ password: encPass }, function(err, user) { if (user) { //user exists, it means we should pass an ID of this user to a controller to display it in a view. I don't know how. res.send({user.name}) //like this? How should controller receive this? With $http.post? } else { and now if user doesn't exist - we should create it with user ID generated by my function var nUser = new User({ name: generId(), password: req.body.password }); nUser.save(function(err) { if (err) return next(err); )}; )}; )}; Am I doing anything right? I'm pretty new to js and angular. If so - how do I throw a username back at controller? If someone is interested - this service exists for 100+ symbol passphrases so possibility of entering same passphrase as someone else is miserable. And yeah, If someone logged in under 123 password - the other guy will log in as same user if he entered 123 password, but hey, you are warned to make a big passphrase. So I'm confident about the idea and I only need a help with understanding and realization.

    Read the article

  • Am I supposed to store hashes for passwords?

    - by Doug
    User System and Passwords: I was looking through MD5 stuff, and I am wondering what is the normal/good practice for passwords. Right now, I think people super encrypt the passwords and store the hashes. If so, how does password checking work? I just have the input password go through the encryption process again and then check the hash with the stored one, correct? This question may contradict the above, but should my salt ever be a randomly generated value?

    Read the article

  • Are parametrized calls/sanitization/escaping characters necessary for hashed password fields in SQL queries?

    - by Computerish
    When writing a login system for a website, it is standard to use some combination of parameterized calls, sanitizing the user input, and/or escaping special characters to prevent SQL injection attacks. Any good login system, however, should also hash (and possibly salt) every password before it goes into an SQL query, so is it still necessary to worry about SQL injection attacks in passwords? Doesn't a hash completely eliminate any possibility of an SQL injection attack on its own?

    Read the article

  • A Security (encryption) Dilemma

    - by TravisPUK
    I have an internal WPF client application that accesses a database. The application is a central resource for a Support team and as such includes Remote Access/Login information for clients. At the moment this database is not available via a web interface etc, but one day is likely to. The remote access information includes the username and passwords for the client's networks so that our client's software applications can be remotely supported by us. I need to store the usernames and passwords in the database and provide the support consultants access to them so that they can login to the client's system and then provide support. Hope this is making sense. So the dilemma is that I don't want to store the usernames and passwords in cleartext on the database to ensure that if the DB was ever compromised, I am not then providing access to our client's networks to whomever gets the database. I have looked at two-way encryption of the passwords, but as they say, two-way is not much different to cleartext as if you can decrypt it, so can an attacker... eventually. The problem here is that I have setup a method to use a salt and a passcode that are stored in the application, I have used a salt that is stored in the db, but all have their weaknesses, ie if the app was reflected it exposes the salts etc. How can I secure the usernames and passwords in my database, and yet still provide the ability for my support consultants to view the information in the application so they can use it to login? This is obviously different to storing user's passwords as these are one way because I don't need to know what they are. But I do need to know what the client's remote access passwords are as we need to enter them in at the time of remoting to them. Anybody have some theories on what would be the best approach here? update The function I am trying to build is for our CRM application that will store the remote access details for the client. The CRM system provides call/issue tracking functionality and during the course of investigating the issue, the support consultant will need to remote in. They will then view the client's remote access details and make the connection

    Read the article

  • Add multiple ActionName for button

    - by NewToBirtReporting
    I have one controller on which i have Save button click event. Im using same controller and view for Add and Edit purpose. My code is as per below [HttpPost] [Button(ButtonName = "Save")] [ActionName("Create")] [ValidateAntiForgeryToken(Salt = "PostData")] public ActionResult Save(Ntegra m_Ntegra,FormCollection form) {} As Im Using ActionName("Create") here so button can not work for ActionName("Edit"). can anyone tell me how i can achive my requirnment!! Thanks for help...... :)

    Read the article

  • Securing an ASP.NET MVC 2 Application

    - by rajbk
    This post attempts to look at some of the methods that can be used to secure an ASP.NET MVC 2 Application called Northwind Traders Human Resources.  The sample code for the project is attached at the bottom of this post. We are going to use a slightly modified Northwind database. The screen capture from SQL server management studio shows the change. I added a new column called Salary, inserted some random salaries for the employees and then turned off AllowNulls.   The reporting relationship for Northwind Employees is shown below.   The requirements for our application are as follows: Employees can see their LastName, FirstName, Title, Address and Salary Employees are allowed to edit only their Address information Employees can see the LastName, FirstName, Title, Address and Salary of their immediate reports Employees cannot see records of non immediate reports.  Employees are allowed to edit only the Salary and Title information of their immediate reports. Employees are not allowed to edit the Address of an immediate report Employees should be authenticated into the system. Employees by default get the “Employee” role. If a user has direct reports, they will also get assigned a “Manager” role. We use a very basic empId/pwd scheme of EmployeeID (1-9) and password test$1. You should never do this in an actual application. The application should protect from Cross Site Request Forgery (CSRF). For example, Michael could trick Steven, who is already logged on to the HR website, to load a page which contains a malicious request. where without Steven’s knowledge, a form on the site posts information back to the Northwind HR website using Steven’s credentials. Michael could use this technique to give himself a raise :-) UI Notes The layout of our app looks like so: When Nancy (EmpID 1) signs on, she sees the default page with her details and is allowed to edit her address. If Nancy attempts to view the record of employee Andrew who has an employeeID of 2 (Employees/Edit/2), she will get a “Not Authorized” error page. When Andrew (EmpID 2) signs on, he can edit the address field of his record and change the title and salary of employees that directly report to him. Implementation Notes All controllers inherit from a BaseController. The BaseController currently only has error handling code. When a user signs on, we check to see if they are in a Manager role. We then create a FormsAuthenticationTicket, encrypt it (including the roles that the employee belongs to) and add it to a cookie. private void SetAuthenticationCookie(int employeeID, List<string> roles) { HttpCookiesSection cookieSection = (HttpCookiesSection) ConfigurationManager.GetSection("system.web/httpCookies"); AuthenticationSection authenticationSection = (AuthenticationSection) ConfigurationManager.GetSection("system.web/authentication"); FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket( 1, employeeID.ToString(), DateTime.Now, DateTime.Now.AddMinutes(authenticationSection.Forms.Timeout.TotalMinutes), false, string.Join("|", roles.ToArray())); String encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); if (cookieSection.RequireSSL || authenticationSection.Forms.RequireSSL) { authCookie.Secure = true; } HttpContext.Current.Response.Cookies.Add(authCookie); } We read this cookie back in Global.asax and set the Context.User to be a new GenericPrincipal with the roles we assigned earlier. protected void Application_AuthenticateRequest(Object sender, EventArgs e){ if (Context.User != null) { string cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies[cookieName]; if (authCookie == null) return; FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value); string[] roles = authTicket.UserData.Split(new char[] { '|' }); FormsIdentity fi = (FormsIdentity)(Context.User.Identity); Context.User = new System.Security.Principal.GenericPrincipal(fi, roles); }} We ensure that a user has permissions to view a record by creating a custom attribute AuthorizeToViewID that inherits from ActionFilterAttribute. public class AuthorizeToViewIDAttribute : ActionFilterAttribute{ IEmployeeRepository employeeRepository = new EmployeeRepository(); public override void OnActionExecuting(ActionExecutingContext filterContext) { if (filterContext.ActionParameters.ContainsKey("id") && filterContext.ActionParameters["id"] != null) { if (employeeRepository.IsAuthorizedToView((int)filterContext.ActionParameters["id"])) { return; } } throw new UnauthorizedAccessException("The record does not exist or you do not have permission to access it"); }} We add the AuthorizeToView attribute to any Action method that requires authorization. [HttpPost][Authorize(Order = 1)]//To prevent CSRF[ValidateAntiForgeryToken(Salt = Globals.EditSalt, Order = 2)]//See AuthorizeToViewIDAttribute class[AuthorizeToViewID(Order = 3)] [ActionName("Edit")]public ActionResult Update(int id){ var employeeToEdit = employeeRepository.GetEmployee(id); if (employeeToEdit != null) { //Employees can edit only their address //A manager can edit the title and salary of their subordinate string[] whiteList = (employeeToEdit.IsSubordinate) ? new string[] { "Title", "Salary" } : new string[] { "Address" }; if (TryUpdateModel(employeeToEdit, whiteList)) { employeeRepository.Save(employeeToEdit); return RedirectToAction("Details", new { id = id }); } else { ModelState.AddModelError("", "Please correct the following errors."); } } return View(employeeToEdit);} The Authorize attribute is added to ensure that only authorized users can execute that Action. We use the TryUpdateModel with a white list to ensure that (a) an employee is able to edit only their Address and (b) that a manager is able to edit only the Title and Salary of a subordinate. This works in conjunction with the AuthorizeToViewIDAttribute. The ValidateAntiForgeryToken attribute is added (with a salt) to avoid CSRF. The Order on the attributes specify the order in which the attributes are executed. The Edit View uses the AntiForgeryToken helper to render the hidden token: ......<% using (Html.BeginForm()) {%><%=Html.AntiForgeryToken(NorthwindHR.Models.Globals.EditSalt)%><%= Html.ValidationSummary(true, "Please correct the errors and try again.") %><div class="editor-label"> <%= Html.LabelFor(model => model.LastName) %></div><div class="editor-field">...... The application uses View specific models for ease of model binding. public class EmployeeViewModel{ public int EmployeeID; [Required] [DisplayName("Last Name")] public string LastName { get; set; } [Required] [DisplayName("First Name")] public string FirstName { get; set; } [Required] [DisplayName("Title")] public string Title { get; set; } [Required] [DisplayName("Address")] public string Address { get; set; } [Required] [DisplayName("Salary")] [Range(500, double.MaxValue)] public decimal Salary { get; set; } public bool IsSubordinate { get; set; }} To help with displaying readonly/editable fields, we use a helper method. //Simple extension method to display a TextboxFor or DisplayFor based on the isEditable variablepublic static MvcHtmlString TextBoxOrLabelFor<TModel, TProperty>(this HtmlHelper<TModel> htmlHelper, Expression<Func<TModel, TProperty>> expression, bool isEditable){ if (isEditable) { return htmlHelper.TextBoxFor(expression); } else { return htmlHelper.DisplayFor(expression); }} The helper method is used in the view like so: <%=Html.TextBoxOrLabelFor(model => model.Title, Model.IsSubordinate)%> As mentioned in this post, there is a much easier way to update properties on an object. Download Demo Project VS 2008, ASP.NET MVC 2 RTM Remember to change the connectionString to point to your Northwind DB NorthwindHR.zip Feedback and bugs are always welcome :-)

    Read the article

  • How can I get access to password hashing in postgresql? Tried installing postgresql-contrib in ubun

    - by Tchalvak
    So I'm trying to just hash some passwords in postgresql, and the only hashing solution that I've found for postgresql is part of the pgcrytpo package ( http://www.postgresql.org/docs/8.3/static/pgcrypto.html ) that is supposed to be in postgresql-contrib ( http://www.postgresql.org/docs/8.3/static/contrib.html ). So I installed postgresql-contrib, (sudo apt-get install postgresql-contrib), restarted my server (as a simple way to restart postgresql). However, I still don't have access to any of the functions for hashing that are supposed to be in postgresql-contrib, e.g.: ninjawars=# select crypt('global salt' || 'new password' || 'user created date', gen_salt('sha256')); ERROR: function gen_salt(unknown) does not exist ninjawars=# select digest('test', 'sha256') from players limit 1; ERROR: function digest(unknown, unknown) does not exist ninjawars=# select hmac('test', 'sha256') from players limit 1; ERROR: function hmac(unknown, unknown) does not exist So how can I hash passwords in postgresql, on ubuntu?

    Read the article

  • losetup does not decrypt device in Ubuntu 11.4 as before

    - by Kay
    I had an external volume mounted using losetup for about two years. It was created using Ubuntu 9.4 and I used the same Ubuntu installation throughout all dist upgrades. Now as I bought a new laptop I set up a fresh Ubuntu 11.4 installation on it. Problem is: losetup -e twofish /dev/loop0 /dev/sdb2 does not decrypt the volume anymore. The data in /dev/loop0 contains apparently random data. I am sure I entered the correct password. I modprobe'd cryptoloop and twofish. My question is: Has Canonical done some obscure changes to losetup like adding a salt? Does losetup depend on configuration files I did not know about? How can I decrypt the volume on my now laptop?

    Read the article

  • Why does this work: Windows same local admin username and password, able to access other computer?

    - by Ankush
    I've two machines MachineA and MachineB. Both have two local accounts which have same username . Both accounts are local admin on those machines. If they have same password, I'm able to access \\MachineA\C$ from MachineB. But if I change any one password above doesn't work. And it prompts for username and password. Now if I provide MachineA\username and password, it then connects. Why isn't there a prompt for password when passwords are same? I expected passwords to be hashed with random salt, how does windows know passwords are same and authorize access? These machines are running Windows Server 2008 R2. PS. I've created following reg key to enable drive access HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1

    Read the article

  • create log for an encrypted tar

    - by magiza83
    I want to create an encrypted tar but also I want to have a log of what tar has compressed, I'm using the following command: tar -cvvf - --files-from=/root/backup.cfg | openssl des3 -salt -k backuppass | dd of=/root/tmp/back.encrypted But I need to have a log of tar's stdout. I don't know how to get it, because If I use "" in tar command openssl result is not correct. I've also checked tar manual hoping to find some option to write stdout to a file, but I have found nothing. any help? thanks & Regards.

    Read the article

  • Blocking apache access via user agent string

    - by Tchalvak
    I've got a scripter who is using a proxy to attack a website I'm serving. I've noticed that they tend to access the site via software with a certain common user agent string (i.e. http://www.itsecteam.com/en/projects/project1_page2.htm "Havij advanced sql injection software" with a user_agent string of Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij). I'm aware that any cracking software worth it's salt will probably be able to modify it's user agent string, but I'm fine with the scripter having to deal with that feature at some point. So, is there any software out there for automatically blocking access & permanently blacklisting by matching user agent strings?

    Read the article

  • Material to use for computer system cover against UV and salty air?

    - by hippietrail
    I live right next to the sea and have a large window quite close to my computer setup which allows a lot of indirect sunlight to enter. I'd like to buy or make a cover for my computer system. From visiting my usual mom & pop computer shop yesterday I got the impression these might not really exist any more. If I make my own I need a material with these qualities: Block or reduce ultraviolet light which can depolymerize plastics (the sun here in Australia is much stronger than in the northern hemisphere). Block salt-laden sea air which can oxidize USB and other connectors. Not cause static electricity when covering or uncovering. Keep dust off of course (-: My setup is a laptop plugged into a wide-screen LCD with a few external drives. So I think I'd want a largish sheet to flop over the whole desk. Are such covers commonly sold these days? What material(s) should I look for which provides the listed attributes?

    Read the article

  • SQL SERVER – Identify Most Resource Intensive Queries – SQL in Sixty Seconds #028 – Video

    - by pinaldave
    During performance tuning conversation the very first question people often ask is what are the queries offending the server or in another word let us identify the queries which are the most resource intensive. The resources are often described as either Memory, CPU or IO. When we talk about the queries the same is applicable for them as well. The query which is doing lots of reads or writes are for sure resource intensive as well query which are taking maximum CPU time. Performance tuning is a very deep subject and we all have our own preference regarding what should be the first step to tuning and what should be looked with the salt of grain. Though there is no denying that a query which uses more resources than what it should be using for sure require tuning. There are many ways to do identify query using intense resources (e.g. Extended events etc) but in this one we will go by simple DMV. There is a small gotcha we all have to remember about usage of DMV is that it only brings back results from existing cache. So if you have a query which is very resource intensive but is not cached or if you have explicitly removed the query from the cache it will be not part of the result returned by this DMV. It is quite possible that a query is aged and removed from the cache if your cache is not huge. If your cache is large you may want to be careful in running this query during business hours as this query itself can be resource intensive. Get Script to identify resource intensive query from Here Related Tips in SQL in Sixty Seconds: SQL SERVER – Find Most Expensive Queries Using DMV Simple Example to Configure Resource Governor – Introduction to Resource Governor SQL SERVER – DMV – sys.dm_exec_query_optimizer_info – Statistics of Optimizer SQL SERVER – Wait Stats – Wait Types – Wait Queues – Day 0 of 28 Reference: Pinal Dave (http://blog.sqlauthority.com) Filed under: Database, Pinal Dave, PostADay, SQL, SQL Authority, SQL in Sixty Seconds, SQL Query, SQL Scripts, SQL Server, SQL Server Management Studio, SQL Tips and Tricks, T SQL, Technology, Video Tagged: Excel

    Read the article

  • Etch a Circuit Board using a Simple Homemade Mixture

    - by ETC
    If you’ve been dabbling in DIY electronics projects but you’re not so excited about keeping strong acids around to etch your circuit boards, this simple DIY recipe uses common household chemicals in lieu of strong acid. Electronics hobbyist Stephen Hobley wanted to see if he could create an etching solution that wasn’t as dangerous and noxious smelling at traditional muriatic acid solutions. By combining regular white vinegar, hydrogen peroxide, and table salt, he created a homemade etching solution from ingredients safe enough to store in your pantry. The only downside to his recipe is that, compared to traditional etching solutions, the process takes a little bit longer so you’ll have to leave your board in the solution longer. Not a bad trade off for the ability to skip using any oops-I-burned-my-skin-off acids. Check out the process in the video below: Hit up the link below for more information and and interesting explanation of the chemical process (he talks about not quite understanding it in the video but two chemists write in and give him the full run down). DIY Etching Solution [Stephen Hobley via Make] Latest Features How-To Geek ETC Macs Don’t Make You Creative! So Why Do Artists Really Love Apple? MacX DVD Ripper Pro is Free for How-To Geek Readers (Time Limited!) HTG Explains: What’s a Solid State Drive and What Do I Need to Know? How to Get Amazing Color from Photos in Photoshop, GIMP, and Paint.NET Learn To Adjust Contrast Like a Pro in Photoshop, GIMP, and Paint.NET Have You Ever Wondered How Your Operating System Got Its Name? Etch a Circuit Board using a Simple Homemade Mixture Sync Blocker Stops iTunes from Automatically Syncing The Journey to the Mystical Forest [Wallpaper] Trace Your Browser’s Roots on the Browser Family Tree [Infographic] Save Files Directly from Your Browser to the Cloud in Chrome and Iron The Steve Jobs Chronicles – Charlie and the Apple Factory [Video]

    Read the article

  • Tuxedo 11gR1 Released

    - by todd.little
    I've been a little quiet the last several months as the Tuxedo team has been very busy. Today Oracle announced the 11gR1 release of the Tuxedo product family. This release includes updates to Tuxedo, TSAM, and SALT, as well as 3 new products that Oracle is announcing today. These 3 new products are the Oracle Tuxedo Application Runtime for CICS and Batch, Oracle Application Rehosting Workbench, and the Tuxedo JCA Adapter. By providing a CICS equivalent runtime and a rehosting workbench to automate the rehosting of COBOL CICS code, JCL procedures, data definitions, and data, Oracle has significantly lowered the effort and risk to rehost mainframe CICS and Batch applications onto the Tuxedo runtime on open systems. By moving off proprietary legacy mainframes, customers have experienced better performance and achieved a 50-80% lowering of their total cost of ownership. The rehosting tools allow the COBOL business logic to remain unchanged and automate the replacement of CICS statements with calls to Tuxedo. The rehosted code can then run on open systems 'as-is'. Users can still use the same TN3270 interfaces they are used to eliminating the need for retraining. Batch procedures can be run and managed under a JES2 like environment. For the first time, customers have the tools and enterprise class runtime environment to move their key legacy assets off the mainframe and on to distributed open systems whether the application uses 250 MIPS, 25,000 MIPS, or more. More on these exciting new options in additional blog entries.

    Read the article

  • Rails on server syntax error?

    - by Danny McClelland
    Hi Everyone, I am trying to get my rails application running on my web server, but when I run the rake db:migrate I get the following error: r oot@oak [/home/macandco/rails_apps/survey_manager]# rake db:migrate (in /home/macandco/rails_apps/survey_manager) == Baseapp: migrating ======================================================== -- create_table(:settings, {:force=>true}) -> 0.0072s -- create_table(:users) -> 0.0072s -- add_index(:users, :login, {:unique=>true}) -> 0.0097s -- create_table(:profiles) -> 0.0084s -- create_table(:open_id_authentication_associations, {:force=>true}) -> 0.0067s -- create_table(:open_id_authentication_nonces, {:force=>true}) -> 0.0064s -- create_table(:roles) -> 0.0052s -- create_table(:roles_users, {:id=>false}) -> 0.0060s rake aborted! An error has occurred, all later migrations canceled: 555 5.5.2 Syntax error. g9sm2526951gvc.8 Has anyone come across this before? Thanks, Danny Main Migration file c lass Baseapp < ActiveRecord::Migration def self.up # Create Settings Table create_table :settings, :force => true do |t| t.string :label t.string :identifier t.text :description t.string :field_type, :default => 'string' t.text :value t.timestamps end # Create Users Table create_table :users do |t| t.string :login, :limit => 40 t.string :identity_url t.string :name, :limit => 100, :default => '', :null => true t.string :email, :limit => 100 t.string :mobile t.string :signaturenotes t.string :crypted_password, :limit => 40 t.string :salt, :limit => 40 t.string :remember_token, :limit => 40 t.string :activation_code, :limit => 40 t.string :state, :null => :false, :default => 'passive' t.datetime :remember_token_expires_at t.string :password_reset_code, :default => nil t.datetime :activated_at t.datetime :deleted_at t.timestamps end add_index :users, :login, :unique => true # Create Profile Table create_table :profiles do |t| t.references :user t.string :real_name t.string :location t.string :website t.string :mobile t.timestamps end # Create OpenID Tables create_table :open_id_authentication_associations, :force => true do |t| t.integer :issued, :lifetime t.string :handle, :assoc_type t.binary :server_url, :secret end create_table :open_id_authentication_nonces, :force => true do |t| t.integer :timestamp, :null => false t.string :server_url, :null => true t.string :salt, :null => false end create_table :roles do |t| t.column :name, :string end # generate the join table create_table :roles_users, :id => false do |t| t.column :role_id, :integer t.column :user_id, :integer end # Create admin role and user admin_role = Role.create(:name => 'admin') user = User.create do |u| u.login = 'admin' u.password = u.password_confirmation = 'advices' u.email = '[email protected]' end user.register! user.activate! user.roles << admin_role end def self.down # Drop all BaseApp drop_table :settings drop_table :users drop_table :profiles drop_table :open_id_authentication_associations drop_table :open_id_authentication_nonces drop_table :roles drop_table :roles_users end end

    Read the article

  • links for 2010-05-19

    - by Bob Rhubart
    Presentations from #otnarchday in Dallas now available on Slideshare Includes presentations on IT Optimization, Application Integration Architecture, Application Grid, and Infrastructure Consolidation. More to come. Anthony Shorten: JMX Based Monitoring - Part Four - Business App Server Monitoring Anthony Shorten discuss a new Oracle Utilities Application Framework V4 feature that allows JMX to be used for management and monitoring the Oracle Utilities business application server component. (tags: oracle otn java architect) New book: Oracle Coherence 3.5 An overview of the new book by authors Aleksandar Seovic, Mark Falco, Patrick Peralta. (tags: oracle otn grid architect) Douwe Pieter van den Bos: Next step in Virtualization: VirtualBox 3.2 "For businesses, VirtualBox just might be the answer they where looking for," says Douwe Pieter van den Bos. "A simple and widely supported virtual machine." (tags: oracle otn virtualization architect) Maurice Gamanho: Python and Ruby in Tuxedo Maurice Gamanho's quick overview of new features in Oracle's Service Architecture Leveraging Tuxedo (SALT) 11gR1. (tags: oracle otn soa architect) Live Webcast: Oracle and AmberPoint - May 20, 2010 - 10 a.m. PT/1 p.m. ET Ed Horst and Ashish Mohindroo discuss the advantages of the Oracle and AmberPoint combination. (tags: oracle otn architect soa governance)

    Read the article

  • Is SHA-1 secure for password storage?

    - by Tgr
    Some people throw around remarks like "SHA-1 is broken" a lot, so I'm trying to understand what exactly that means. Let's assume I have a database of SHA-1 password hashes, and an attacker whith a state of the art SHA-1 breaking algorithm and a botnet with 100,000 machines gets access to it. (Having control over 100k home computers would mean they can do about 10^15 operations per second.) How much time would they need to find out the password of any one user? find out the password of a given user? find out the password of all users? find a way to log in as one of the users? find a way to log in as a specific user? How does that change if the passwords are salted? Does the method of salting (prefix, postfix, both, or something more complicated like xor-ing) matter? Here is my current understanding, after some googling. Please correct in the answers if I misunderstood something. If there is no salt, a rainbow attack will immediately find all passwords (except extremely long ones). If there is a sufficiently long random salt, the most effective way to find out the passwords is a brute force or dictionary attack. Neither collision nor preimage attacks are any help in finding out the actual password, so cryptographic attacks against SHA-1 are no help here. It doesn't even matter much what algorithm is used - one could even use MD5 or MD4 and the passwords would be just as safe (there is a slight difference because computing a SHA-1 hash is slower). To evaluate how safe "just as safe" is, let's assume that a single sha1 run takes 1000 operations and passwords contain uppercase, lowercase and digits (that is, 60 characters). That means the attacker can test 1015*60*60*24 / 1000 ~= 1017 potential password a day. For a brute force attack, that would mean testing all passwords up to 9 characters in 3 hours, up to 10 characters in a week, up to 11 characters in a year. (It takes 60 times as much for every additional character.) A dictionary attack is much, much faster (even an attacker with a single computer could pull it off in hours), but only finds weak passwords. To log in as a user, the attacker does not need to find out the exact password; it is enough to find a string that results in the same hash. This is called a first preimage attack. As far as I could find, there are no preimage attacks against SHA-1. (A bruteforce attack would take 2160 operations, which means our theoretical attacker would need 1030 years to pull it off. Limits of theoretical possibility are around 260 operations, at which the attack would take a few years.) There are preimage attacks against reduced versions of SHA-1 with negligible effect (for the reduced SHA-1 which uses 44 steps instead of 80, attack time is down from 2160 operations to 2157). There are collision attacks against SHA-1 which are well within theoretical possibility (the best I found brings the time down from 280 to 252), but those are useless against password hashes, even without salting. In short, storing passwords with SHA-1 seems perfectly safe. Did I miss something?

    Read the article

  • Security in a private web service

    - by Oni
    I am developing a web site and a web service for a small on-line game. Technically, I'll be using Express (node.js) and MongoDB+Redis for the databases. This the structure I came up with: One Express server that will server as the Web Service. This will connect to the databases. One Express server that will provide the web site. It will connect to the Web Service to retrieve and push the information. iOS and Android application will be able to interact with the WebService. Taking into account: It is a small game. The information transferred is not critical. There will NOT be third party applications. At least for the moment. My concern is about which level of security I should use in each of the scenarios: Security of the user playing through web browser Security of the applications and the Web Server connecting to the WS. I have take a look at the different options and: OAuth and/or Https is too much for this scenario, isn't it? Will be a good option to hash the user and password with MD5(or similar) and some salt? I would like to get some directions and investigate by my own rather than getting a response like "you should you use this node.js module..." Thanks in advance,

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 4 5 6 7 8 9 10 11 12  | Next Page >