• A Developers Guide to Storage and Manipulation of Passwords

    For many users, creating and entering passwords is an everyday occurrence. On today’s internet, very few services will allow access without some form of credential. Whether it’s internet banking or social networking, the user is required to enter a username and a password.

    Although passwords have a number of weaknesses when compared to alternative methods (such as One Time Tokens), they continue to be the most common form of authorisation. As a developer, it is highly likely that you will need to process and store passwords at some point

    The aim of this whitepaper is to look at the strengths and weaknesses of the various methods available. We will also look into the available methods of processing supplied credentials to establish whether to permit the user access to the system.

  • Allowing File Uploads direct from Dropbox

    It's been over 3 months since Dropbox announced the availability of 'Chooser', a simple way to allow users to upload files to your site direct from their Dropbox, but I've not seen it in use anywhere. That's a little dissapointing really, partially because it's incredibly simple to use and implement, but also because I was really hoping it might prompt some of Dropbox's competitors to create something similar.

    It makes life a lot easier for your users (especially those who want to upload from a *cough iOS* device with file uploads disabled ) and the hassle of setting it up is minimal.

    In this post, I'll be showing how to implement the Dropbox chooser into a simple PHP site

  • Communicating with HomePlugAV Devices using Python

    I've got a couple of pairs of ON Networks' PL 500 HomePlugAV Powerline Adapters and have been playing around with them to see how they compare to the Computrend 902 devices I played around with 5 years ago.

    I'm still playing around with the kit, but thought I'd document a very basic example of how to send commands to the devices using Python - the instructions should work for any kit based on Qualcomm's INT6x00 and AR7x00 chipsets (mine use the AR7420/QCA7420) - we'll be changing one of the encryption keys (the NMK) that the devices use

  • Linking a Git Repo with Pivotal Tracker

    Everyone seems to use GitHub nowadays, but occasionally you want a private repo (without paying), so you set up a local Git repo instead. The problem being, you often lose the integration with the other tools that you use to manage projects. Git has the ability, but it is somewhat reliant on you having the relevant scripts available (such as post-receive).

    This documentation details how to configure your Git repo to link up with Pivotal Tracker.

  • MySQL Cheatsheet

    I started an article on basic MySQL Tips and Tricks a little while ago, but never quite finished it. This documentation contains those tips as well as some additional techniques I've picked up

  • Python3 - TypeError: encoding without a string argument

    I thought I'd document this as although the cause/fix is fairly simple, searching for the error string encoding without a string argument gives a lot of hits for a similarly structured but different error - string argument without an encoding.

    An example backtrace might be:

    Traceback (most recent call last):
      File "./profiler.py", line 346, in 
        meta['config_files']['pdns'] = zip_and_compress(read_file_content('/etc/powerdns/pdns.conf'))
      File "./profiler.py", line 289, in zip_and_compress
        gz = gzip.compress(bytes(s,"utf-8"))
    TypeError: encoding without a string argument
    

    With the example code being fairly simple

    def read_file_content(path):
        ''' Read the entirety of a file into a variable
        '''
        file_content = None
        with open(path, 'rb') as content_file:
            file_content = content_file.read()
    
        return file_content
    
    def zip_and_compress(s):
        ''' Config files can get quite sizeable. To keep the size of our output DB down
        we gzip and then ascii armour them
        '''
        gz = gzip.compress(bytes(s,"utf-8"))
        return base64.b64encode(gz).decode("utf-8")
    
    
    zip_and_compress(read_file_content('/etc/powerdns/pdns.conf'))
    
  • Sending commit notifications using Git post-receive hooks

    I make heavy use of Git, and have plugins that allow me to view my commits when viewing issues in JIRA. Unfortunately these plugins rely on Lucene indexes which has proven to be a bit of an issue when archiving projects (or maintaining a HTML fallback).

    There are various post-receive hooks out there for sending mail notifications out whenever someone runs 'git push', however they're generally tailored towards notifying a group of developers.

    I simply wanted the equivalent of 'git log' to appear within my JIRA activity flow on any issue which is mentioned in the commit message.

    This documentation provides a python based post-receive hook intended to do just that, and also documents exactly how to go about applying that hook to all existing and future repos on your server.

  • The Importance of Salting Stored Passwords And How To Do So Correctly

    Many will have watched the recent releases of user passwords from Sony (and others) with interest. A lot of people, won't however, realise why Sony's practises were so poor. For many, storing passwords means just that, purely because they aren't aware of the methods available to make it a lot harder for an attacker to gain access to users passwords.

    Whilst network security obviously plays a very important part, even when that fails it should be almost impossible for an attacker to tell you what your password was based on nothing but a database dump. In this short post we'll examine exactly how passwords should be handled and stored in a database.

  • Unable to check for Euro Symbol in POST data

    I came across an interesting issue this week, having created a form to submit data I then needed to check against stored values to pre-populate fields if a user had already completed the form. Pretty simple stuff really, not much more to it than

    ?>
    <input type="checkbox" value="$val" <?php if ($stored == $val){ echo " checked"; } ?>
    >

    But, I found that where the euro symbol (€) is concerned, things can get quite difficult. 

    This documentation details the issue I found and how to work around it.

  • Understanding Password Storage

    I occasionally receive emails from people who have come across PHPCredlocker, and the question is usually the same - "Why are you storing passwords using reversible encryption?". Most emails are polite, some not so much, but they all have one thing in common - assuming that a commonly stated fact applies to all scenarios, and failing to apply a bit of simple logic that would tell them the answer - because that's the only way the system would work.

    In this post, we'll be briefly looking at some of the ways in which you can store credentials, and which of them are appropriate to use (and when), in the context of building an application (web or otherwise).

  • Why You Shouldn't be using SHA1 or MD5 to Store Passwords

    There are a lot of badly coded sites out there, and far too many sites still seem to be falling prey to SQL Injection vulnerabilities resulting in a lot of high profile leaks of user data.

    I wrote quite some time ago on The Importance of Salting Stored Passwords And How To Do So Correctly, but whilst the underlying message remains correct, the techniques for doing so have been outpaced by technology.

    Although still widely used, checksum algorithms such as SHA1 and MD5 are no longer sufficiently secure.

    In this post we'll be exploring why you shouldn't be using MD5/SHA1 and how you should be storing passwords.