Author Topic: Password encryption  (Read 7224 times)

TWSheppard

  • Gentle Breeze
  • **
  • Posts: 21
    • EW2262
    • IONSTITT1
    • Stittsville Weather
  • Station Details: Davis Vantage Pro 2, MacBook, 1 additional Temp/Hum sensor
Password encryption
« on: March 02, 2013, 03:30:52 AM »
As a newbie I was browsing through the .plist files trying to see if there was a reason WC was ignoring my data files created from another weather program (that's for another post). I noticed that the email password is stored in the clear, and I assume the FTP password would be too if I used FTP.

Please make sure that all password data is encrypted until used by the program.

Thanks.

JosBaz

  • Strong Breeze
  • ***
  • Posts: 232
    • INBRSON2
    • Weatherstation Son en Breugel, The Netherlands
  • Station Details: Davis Vantage Pro2 Wireless, WeatherCat on Mac OS X 10.13.6
Re: Password encryption
« Reply #1 on: March 02, 2013, 05:51:26 PM »
Hi,
FTP is not secure at all, so one could argue what the value of encrypting the PW on the PC is. The problem with FTP is that the server can only handle usernames and passwords in plain text so it will be sent unencrypted anyway. SFTP fixes that.
Jos

TWSheppard

  • Gentle Breeze
  • **
  • Posts: 21
    • EW2262
    • IONSTITT1
    • Stittsville Weather
  • Station Details: Davis Vantage Pro 2, MacBook, 1 additional Temp/Hum sensor
Re: Password encryption
« Reply #2 on: March 02, 2013, 05:59:39 PM »
Getting access to the computer to view files versus sniffing the network for passwords are two different things. It should be standard policy in all s/w development to store passwords encrypted considering it's so easy to do. I'm not a Mac developer, but for those systems I do develop for there are libraries to make two-way encryption easy to use. This is 2013. It's a hostile world.

But, it's a low probability that my email will be compromised by peeking in a WeatherCat .plist file.  :)

Tornado Tim

  • Strong Breeze
  • ***
  • Posts: 125
    • Matangi Weather
  • Station Details: Davis VP2 with Solar and WLIP Datalogger (via VVP)
Re: Password encryption
« Reply #3 on: March 02, 2013, 09:02:12 PM »
Yes Ideally passwords should be salted and hashed before storing them.
To make this easier for Steve, the passwords could be stored in apple's keychain (thats where most passwords are stored), where salting and hashing are done automatically.
For reference passwords and usernames are sent unencrypted when connecting with the server via FTP, the only way to overcome that is have SFTP (FTP with SSL encryption)


elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
SFTP on the "requested features" list. (Re: Password encryption)
« Reply #4 on: March 02, 2013, 09:22:47 PM »
Dear Tornado Tim, JosBaz, TWSheppard, and WeatherCat fans,

For reference passwords and usernames are sent unencrypted when connecting with the server via FTP, the only way to overcome that is have SFTP (FTP with SSL encryption)

Actually, not to nitpick, but SFTP is actually FTP an SSH protocol rather than SSL.  Here is the Wikipedia article about it:

http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

The main difference is that you only encrypt the password data, not the data itself like SSL does.  However, there is a protocol that supports even that FTPS.

I've put in my vote for SFTP some time ago.  I don't know how many people can take advantage of this, it might not make much sense for Stu to do this because few ISPs are supporting SFTP.  I just checked and GoDaddy doesn't.  Since they are one of the largest, it means that probably most folks who don't run their own server cannot use SFTP.

Certainly an outrage given what is going on these days - but like it or not things on the Internet are increasingly  . . . . .  cheap, cheap, cheap.

Cheers, Edouard  [cheers1]

WCDev

  • WeatherCat Developer
  • Administrator
  • Storm
  • *****
  • Posts: 2911
    • CW9739
    • ISCOTLAN25
    • Trixology
  • Station Details: Main Station: Vantage Pro-2, 24hr fars, solar, soil/leaf station, extra temp stations, no U.V. WeatherLink IP.
Re: Password encryption
« Reply #5 on: March 02, 2013, 09:37:19 PM »
It's a fair cop guv, it should be in the keychain (FTP passwords are stored in the keychain). The reason it's in the prefs is historical from when we used to use mail.app to send the mail - of course that had it's issues (a surprising number of people have never run Apple's mail for example). Not that the keychain doesn't have it's problems as well, but it's the best option at the moment.

Added as a bug.

Cheers,
Stu.

Felix

  • Gale
  • ****
  • Posts: 439
  • Station Details: Davis VP-2 Plus, FARS, WeatherLink IP. Sharx cams.
Re: Password encryption
« Reply #6 on: August 05, 2014, 01:13:46 AM »
I'm aware the last post was 17 months ago. 

Just curious if this has been implemented yet (or will be in V 2)?

My domain provider (Gandi) provides hosting but upload log-on via SFTP is required.

openvista

  • Gentle Breeze
  • **
  • Posts: 39
    • EW7933
    • KMIMARQU13
    • marquetteweather.com
  • Station Details: Davis Vantage Pro2 with FARS on a Hackintosh
Re: Password encryption
« Reply #7 on: January 09, 2017, 04:04:20 AM »
I would like to voice support for adding sFTP or FTP with implicit SSL. In this day and age it's very dangerous to pass your FTP credentials in the clear. Anyone analyzing or storing packets between the uploading computer and the web server could gain access to at least the pages being uploaded, if not the entire site. 

To partially secure my site, I had to create a special folder into which I upload my processed pages using an FTP account that only has access to that folder. I then had to create Apache server redirects so I wouldn't lose any search engine juice (rankings) for the old pages. Regardless, if someone gains access to this new FTP account, my home page, gauges and 2 other pages are completely theirs. Better than owning the entire box, yes, but not good.

I am aware I could set up an automated upload task using 3rd party software. However, I would ask how many people are capable of or willing to perform most or all of what I've outlined to secure their sites. Thus the request for secure FTP.

I appreciate anything the developer(s) can do to implement this realizing it may be difficult.



Davis Vantage Pro2 with FARS | https://marquetteweather.com

jhoke

  • Gentle Breeze
  • **
  • Posts: 56
  • this space for rent
    • EW5604
    • KPAALBRI11
    • Indian Mountain Lakes - Carbon County Weather
  • Station Details: Davis Vantage Pro2, MacMini (i5 2.5Ghz 4GBRam 500GB HD, 4TB attached storage), other bits coming soon (UV, etc)
Re: Password encryption
« Reply #8 on: April 09, 2017, 02:29:18 PM »
I absolutely 100% completely support the addition of SFTP (TCP Port 22) file transport. I am the head of cybersecurity for a fortune 300 company and we have stopped using FTP years ago due to its security risks, as well as the issues of PASV controls, etc.

All OSX devices have SSH/SFTP clients that can be used, as well as code access to it via the Dev libraries.

I would recommend that SFTP be provided as an option, but not removing FTP for those specific needs where required.

In regards to passwords... Stu cannot HASH them, as they need to be passed to the server (ex Wunderground). If he hashed the word "Password01" using unsalted SHA256 it would be stored as "8675AEF58258098B5BFF8014A246BB5BE62DF4E9CCC1D59B4D991F93050739FE" then if he passed that hash value to Wunderground it would not work, as Wunderground is expecting Password01 as user input so that it can hash the input using its algorythm and salt/pepper. The security of a hash is that it is mathematically infeasible to reverse the hash back to the clear text.

Hashing is extremely useful for comparing passwords (you send Password01, the webserver hashes your input and compares to the stored hash) but horrible for using as an input unless both ends of the communication are setup to not hash the hash

As we are on OSX, using the keychain may be another option, it is encrypted, not hashed for the very reasons mentioned above. Another option would be to AES encrypt the data in the PLIST files so that they can be decrypted when needed.

In regards to "salt" this is slightly better than not using it, but adding pepper is prefered
https://en.wikipedia.org/wiki/Pepper_(cryptography)

Sorry -- the security geek in me hasnt had enough coffee yet :)

elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
Is the curl in OS X supporting SFTP? (Re: Password encryption)
« Reply #9 on: April 09, 2017, 11:32:14 PM »
Dear jhoke and WeatherCat security experts,

All OSX devices have SSH/SFTP clients that can be used, as well as code access to it via the Dev libraries.

WeatherCat doesn't actually do any FTP directly.  Instead it uses the UNIX utility curl.  Last time this topic got visited, OS X didn't include the version of curl that supported SFTP yet.  Do you know if Apple has finally gotten off their fanny and updated the utilities included with OS X macOS?

Cheers, Edouard

jhoke

  • Gentle Breeze
  • **
  • Posts: 56
  • this space for rent
    • EW5604
    • KPAALBRI11
    • Indian Mountain Lakes - Carbon County Weather
  • Station Details: Davis Vantage Pro2, MacMini (i5 2.5Ghz 4GBRam 500GB HD, 4TB attached storage), other bits coming soon (UV, etc)
Re: Is the curl in OS X supporting SFTP? (Re: Password encryption)
« Reply #10 on: April 10, 2017, 12:47:12 AM »
Dear jhoke and WeatherCat security experts,

All OSX devices have SSH/SFTP clients that can be used, as well as code access to it via the Dev libraries.

WeatherCat doesn't actually do any FTP directly.  Instead it uses the UNIX utility curl.  Last time this topic got visited, OS X didn't include the version of curl that supported SFTP yet.  Do you know if Apple has finally gotten off their fanny and updated the utilities included with OS X macOS?

Cheers, Edouard

Interesting ... without knowing how Stu is calling the curl library, I can only presume that a selector could be leveraged to do an SFTP the same way using CURL
That said, from the CURL man page on my Sierra box:(Bold Emphasis Mine)
Quote
NAME
       curl - transfer a URL

SYNOPSIS
       curl [options] [URL...]

DESCRIPTION
       curl  is  a  tool  to  transfer data from or to a server, using one of the supported protocols (DICT,
       FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP,  SCP,  SFTP,
       SMB, SMBS, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction.

       curl  offers  a  busload  of  useful tricks like proxy support, user authentication, FTP upload, HTTP
       post, SSL connections, cookies, file transfer resume, Metalink, and more. As you will see below,  the
       number of features will make your head spin!


So it could be called as:
curl sftp://example.com/file.zip -u user

elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
Perhaps now possible (Re: Password encryption)
« Reply #11 on: April 10, 2017, 11:03:01 PM »
Dear jhoke, and WeatherCat security experts,

Interesting ... without knowing how Stu is calling the curl library, I can only presume that a selector could be leveraged to do an SFTP the same way using CURL
That said, from the CURL man page on my Sierra box:(Bold Emphasis Mine)

. . . .

So it could be called as:
curl sftp://example.com/file.zip -u user

I believe that was the missing piece.  So perhaps Stu can now add SFTP support for at least Sierra.  We'll just have to wait for Stu to chime in on this one.

Cheers, Edouard