To continue with this content, please log in with your Data Access ID or create a new account.
Cancel Data Access ID
You may not be authorized to see this content. Please contact Data Access Europe for more information.
Cancel Data Access Europe
You are not authorized to see this content.
Cancel Data Access Europe
Next lesson:
Authentication Passcode Storage (Web App)

Security the Basics

Lesson 15: Authentication - Passcode Storage

If passwords are stored as plain text, they can be abused. Therefore, they must be stored securely, which in this context means expensive to break. Dedicated password hashing algorithms use specific amounts of processing power to generate a passcode hash. Others also make sure that a certain amount of memory is needed. 

To demonstrate some of this a view called, “Play with passcodes,” has been created in the SecurityBasics project. From the application screen, select VIEW from the top menu and then PLAY WITH PASSCODES. 

Entering a password into the ‘Password’ field and pressing the STORAGESTRING button (actual method in the security library that can be used) results in a string in the ‘StorageString’ field. The beginning portion of the string shows that libsodium was used as the engine and argon2id is the algorithm. The rest of the string contains some parameters, a salt value, and the resulting hash value.

Pressing the button numerous times will always result in a new string. When entering the ‘Passcode to verify’ the password needs to be an exact match and is case-sensitive. If it is the result box will show green with the ‘Verify’ button is pushed. If not, it will show as red. 

To view the code of how this was done, expand ‘Views’ under ‘SecurityBasics.src’ in the ‘Workspace Explorer’ panel on the right, and select ‘PasscodePlayground.vw.’

To look at the code for the button, expand ‘oPasscodePlayground’ in the ‘Code Explorer’ panel on the left, and select ‘oGenerateButton.’ 

The code shows that GenerateStorageString is called. Right clicking on it and selecting ‘Go To Definition’ will bring up the code showing what it does. 

Firstly, it gets the plaintext password and it is turned into a uChar array. 

Then a new object is created from the cSecurePasscodeStorageMethod class. Next the piPasscodeHashImplementation is set. In this example, it is set to C_SEC_PWHASH_LIBSODIUM_ARGON2ID. Then the number of operations is set; here it’s set to 3. This is a rather secure default, but different algorithms may require this to be set to a much higher number. The piMemLimit, which is the amount of memory used, is then set. Not all algorithms support this, but Argon2 does. Then the object is initialized. Following all of that, the storage string of the method is retrieved using the uChar array to create the storage string – Get StorageString of hoMethod (&ucaPasscode) to sStorageString

To help developers determine the number of operations (piOpsLimit) and the amount of memory (piMemLimit) to require a project template has been developed within DataFlex. To use it, navigate to FILE > NEW > PROJECT from the top menu. 

  1. Select ‘Passcode Storage Parameter Estimation Project,’ and press ok.
  2. In the following window, add a ‘File Name,’ and press ok.
  3. Run it.
  4. This needs to be run on the server the application will be deployed on because the result that shows the maximum amount of RAM that may be used is directly related to the amount of memory and the CPU cores on the machine. The absolute maximum is one gigabyte. The virtual machine used for this example does not have a great deal of memory, so 558MiB is the result for the example.
  5. The desired time is shown in measurements of 1/10th of a second, so 10 would equal to one second. If aiming for half a second, for example, enter five.
  6. Pressing ‘Determine optimal parameters’ will result in suggested optimal parameters. The example shown results in three operations and 148MiB of memory. These can be adjusted if desired.