What would be a good technique to partially display and store sensitive information like passwords or api keys?
In "browse" mode: show the decrypted value from database like a*********123
In "edit" mode: possibility to change this value. Ofcourse I want to avoid that when going in edit mode, the actual credential is fully shown just by having linked the dataprovider to that field
I am looking for a generic approach, we have dynamic forms that might contain these fields, so really working with events to show/hide fields or to work with local variables masking the values is not the preferred way
Thanks!
Technique to securely store and display credentials
4 posts
• Page 1 of 1
Technique to securely store and display credentials
by robrecht » Wed Oct 30, 2024 11:23 am
- robrecht
- Posts: 101
- Joined: Wed Aug 01, 2012 4:30 pm
Re: Technique to securely store and display credentials
by mboegem » Wed Oct 30, 2024 3:23 pm
You could use a form variable for this?
In the onShow/onRecordSelection you can set this value to 'a*******123'
In edit mode it will show the same, if you start typing you can see the credentials (or set the field type to display type 'password')
Then use the onDataChange to write a newValue into the actual column.
Personally I would never expose any character of sensitive information nor indication of the length.
Anything will help unauthorised people to know the actual data.
Hope this helps
In the onShow/onRecordSelection you can set this value to 'a*******123'
In edit mode it will show the same, if you start typing you can see the credentials (or set the field type to display type 'password')
Then use the onDataChange to write a newValue into the actual column.
Personally I would never expose any character of sensitive information nor indication of the length.
Anything will help unauthorised people to know the actual data.
Hope this helps
Marc Boegem
Solutiative / JBS Group, Partner
• Servoy Specialist
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance Developer
Solutiative / JBS Group, Partner
• Servoy Specialist
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance Developer
-
mboegem - Posts: 1817
- Joined: Sun Oct 14, 2007 1:34 pm
- Location: Amsterdam
Re: Technique to securely store and display credentials
by robrecht » Wed Oct 30, 2024 9:18 pm
Hi Marc,
Thank you for the answer.
You might be right about exposing any information about sensitive information.
I was somehow hoping on a solution serverside like "onRender" that masks the information sent to the client in a way that I don't have to worry about datachange, locals, etc
Server => client: mask the value, maybe even like *****
Client => server: act live a normal textbox with a dataprovider
Thanks
Robrecht
Thank you for the answer.
You might be right about exposing any information about sensitive information.
I was somehow hoping on a solution serverside like "onRender" that masks the information sent to the client in a way that I don't have to worry about datachange, locals, etc
Server => client: mask the value, maybe even like *****
Client => server: act live a normal textbox with a dataprovider
Thanks
Robrecht
- robrecht
- Posts: 101
- Joined: Wed Aug 01, 2012 4:30 pm
Re: Technique to securely store and display credentials
by sbutler » Sun Nov 03, 2024 5:44 pm
For user passwords, you should never store them, only store a salted hash of the passwords. Then you salt and hash the user input and compare it to stored salt/hashed version to see if it matches.
For other stuff like API Keys or passwords to external things, if you must store it in your database, then you could also consider a global method column converter on the column. So you store it blowfish encrypted in the db, display it like ***123 via decrypting it and masking it, and then when the user edits it, you check if its masked, and if not assume a new value, and then re-encrypt it and store it which would make it re-render with the masked value. Mark's suggestion of form variable also works.
For other stuff like API Keys or passwords to external things, if you must store it in your database, then you could also consider a global method column converter on the column. So you store it blowfish encrypted in the db, display it like ***123 via decrypting it and masking it, and then when the user edits it, you check if its masked, and if not assume a new value, and then re-encrypt it and store it which would make it re-render with the masked value. Mark's suggestion of form variable also works.
Scott Butler
iTech Professionals, Inc.
SAN Partner
Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
iTech Professionals, Inc.
SAN Partner
Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
-
sbutler - Servoy Expert
- Posts: 768
- Joined: Sun Jan 08, 2006 7:15 am
- Location: Cincinnati, OH
4 posts
• Page 1 of 1
Return to Programming with Servoy
Who is online
Users browsing this forum: No registered users and 11 guests