Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Actually, there's a way you could possibly do what you're talking about...</p> <p>You could have the user type his name and password into a form that runs a purely client-side script which generates a hash based on the name and pw. That hash is used as a unique id for the user, and is sent to the server. This way the server only knows the user by hash, not by name.</p> <p>For this to work, though, the hash would have to be different from the normal password hash, and the user would be required to enter their name / password an additional time before the server would have any 'memory' of what that person bought.</p> <p>The server could remember what the person bought for the duration of their session and then 'forget', because the database would contain no link between the user accounts and the sensitive info.</p> <p><strong>edit</strong></p> <p>In response to those who say hashing on the client is a security risk: It's not if you do it right. It should be assumed that a hash algorithm is known or knowable. To say otherwise amounts to "security through obscurity." Hashing doesn't involve any private keys, and dynamic hashes could be used to prevent tampering.</p> <p>For example, you take a hash generator like this:</p> <p><a href="http://baagoe.com/en/RandomMusings/javascript/Mash.js" rel="nofollow noreferrer">http://baagoe.com/en/RandomMusings/javascript/Mash.js</a></p> <pre><code>// From http://baagoe.com/en/RandomMusings/javascript/ // Johannes Baagoe &lt;baagoe@baagoe.com&gt;, 2010 function Mash() { var n = 0xefc8249d; var mash = function(data) { data = data.toString(); for (var i = 0; i &lt; data.length; i++) { n += data.charCodeAt(i); var h = 0.02519603282416938 * n; n = h &gt;&gt;&gt; 0; h -= n; h *= n; n = h &gt;&gt;&gt; 0; h -= n; n += h * 0x100000000; // 2^32 } return (n &gt;&gt;&gt; 0) * 2.3283064365386963e-10; // 2^-32 }; mash.version = 'Mash 0.9'; return mash; } </code></pre> <p>See how <code>n</code> changes, each time you hash a string you get something different. </p> <ul> <li>Hash the username+password using a normal hash algo. This will be the same as the key of the 'secret' table in the database, but will match nothing else in the database.</li> <li>Append the hashed pass to the username and hash it with the above algorithm.</li> <li>Base-16 encode <code>var n</code> and append it in the original hash with a delimiter character.</li> </ul> <p>This will create a <em>unique hash</em> (will be different each time) which can be checked by the system against each column in the database. The system can be set up be allow a particular unique hash only once (say, once a year), preventing MITM attacks, and none of the user's information is passed across the wire. Unless I'm missing something, there is nothing insecure about this.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload