Chris Herdt – Page 20 – The Accidental Developer

Encrypted versus hashed passwords

I’m trying to decide whether it is better to store passwords in a database as key-encrypted strings, or as the result of a hash function (with salt).

Padlock

An encrypted string is secure as long as the key is secure, which it seems to me is both its strength and its Achilles’ heel. Since the application that accesses the database needs to use the key, that means that if both the database and the application server are compromised, the data is compromised.

It also means that if the application developers have access to the database, or if the DBAs have access to the application code, the data is available to those individuals. Even though those users are most likely trustworthy, it is perhaps an unnecessary risk–not to mention their workstations may be compromised. On top of that, you need to worry about key escrow–if you lose the key, you no longer have access to your own data.

A hashed value is secure even if the database and the application are compromised, as it is the result of a one-way function. The value is also inaccessible to either the application developers or the DBAs, which provides an additional layer of security. On the other hand, since it uses a well-known hash function, such as MD5, creating a dictionary file of hashed values is trivial, and apparently an even more effective method to reveal hashed data is to use a rainbow table (the description of which goes a bit over my head right now).

That’s where the salt comes in: concatenate the original value along with extra data before creating the hash. I can see how this would foil a simple dictionary of hashed values. From what I’ve read, the salt value can be unique for each hashed value, and can be stored alongside the hashed value in the database. I’m not sure I entirely understand how that defends against rainbow tables, but it sounds good to me.

Using a hashed value, you can’t retrieve the original data–you can only match against it. This would not work well for data that you need to access again in its original form, e.g. phone numbers. This is a drawback in some cases, but probably not for passwords.

Right now I’m leaning towards salted hash over encryption, but maybe that’s because I’m hungry and it sounds more like breakfast. I’d love to know what other people think.

Create an XSL stylesheet for your RSS or Atom feeds

Internet Explorer 6 and, curiously enough, Google’s Chrome browser, don’t display RSS or Atom feeds in a particularly helpful manner. IE6 displays neatly-formatted XML, with color-coding and indentation, whereas Chrome displays the text node of all the XML tags without so much as a linebreak:

Slashdot's RSS feed in IE6 and Chrome, respectively

Either way is completely intimidating to an RSS novice. Fortunately, we can change that.
Continue reading Create an XSL stylesheet for your RSS or Atom feeds

Javascript textarea counter

I’ve been thinking more about the textarea counter issue that I mentioned in my previous post (“Users Paste Differently“).

First of all, I noticed that some of the textarea counter scripts date back to at least 2000, so this has been a problem that developers have been looking to solve for 8 years. I checked the HTML 5 specification and found that in HTML 5, the textarea element has a maxlength attribute. Presumably user agents will build in the most elegant solution.

But what is the current most elegant solution? Continue reading Javascript textarea counter

Users Paste Differently

I’ve been using a relatively generic Javascript textarea counter for several years to restrict the input length on form textareas. I’m not sure where the specific version I’m using came from, but you can find dozens like it on Google.

Almost all of them rely on the onKeyDown and onKeyUp events to trigger the script. However, some users still manage to submit text that exceeded the limits, even though the application required Javascript. I could not for the life of me reproduce this issue…until today.
Continue reading Users Paste Differently

Testing Tools

A couple of useful testing tools I thought I’d share:

Multiple IE – Put IE3 through IE6 on your Windows box (without interfering with your IE7 installation)
Flash Switcher – an extension for Firefox 3 that will allow you to switch between older versions of Flash Player

The latter seems a little buggy, but still easier to use than removing and installing different Flash versions yourself.

Code Reviews

I recently attended a code review at Wharton. We’ve put together some code reviews at my job, but I know that Wharton has been doing formal code reviews for years and I wanted to check out their process to compare notes. For this particular code review they were looking at a small ColdFusion application developed using Squidhead.
Continue reading Code Reviews

Generating iCal files with ColdFusion

I’ve been using ColdFusion to generate and mail iCal (*.ics) files. This should be a cinch, as they are really pretty simple text files. However, when I receive the file in Microsoft Outlook 2007, I have no options to add it to my calendar and I see the following message: “As the meeting organizer, you do not need to respond to the meeting.”

This is peculiar, as my address is not the organizer specified in the iCal file, it is only the recipient of the iCal attachment. I’m going to keep looking into it, but I thought I’d mention it here in case anyone else is running into the same issue.

The two functions I’ve found online to assist in generating iCal files are:

iCalUS (via CFLib.org)
CF_ICAL (via Planet Source Code.

Secure/nonsecure messages in MovableType 4.2

I have been lately working with a Movable Type install on an SSL-enabled server. In IE, I keep getting pesky warning messages:

This page contains both secure and nonsecure items. Do you want to display the nonsecure items?

I disabled Javascript and the error messages are gone, so I figured the culprit must lie somewhere in the Javascript. One particular file, JavaScriptFlashGateway.js, contained
flashTag += 'codebase="http://download.macromedia.com ... ';

I’m going to see if updating that will address the issue, but I have a feeling there may be other issues. Has anyone else run into this? My Google searches have been coming up empty.

Time Tracking Software

The development team where I work is going to start tracking the time spent working on each project. Although in some ways this feels like a bureaucratic hassle, it will be useful as far as justifying our existence and provide some ammo for why we shouldn’t tackle every suggestion that crosses our desks (e.g. the “trivial tweak” that actually take 12 hours to implement).
Clock
Continue reading Time Tracking Software

Adobe AIR and digital certificate password length

I’ve received several e-mail messages over the past couple months letting me know that the desktop magic eight ball application I created for a beta version of Adobe AIR no longer worked.

Naturally, it wasn’t the highest priority on my to-do list, but I finally decided to get around to it. But I kept getting an error message: “no such file C:\air\eightball\in”
Continue reading Adobe AIR and digital certificate password length