encrypted password

mcad

    Sponsored Links

    Next

  • 1. Book validity
    I have bought a book (training kit for the MCAD certification in 2003), for the preparation of exam 70-320. This book ISBN US is: 0 7356 1586 1 and its publication date is 2003. I would like to know if my edition of this book is still valid, and still be used for preparing exam 70-320. Thank you in advance for your reply
  • 2. Microsoft press VB.net
    Check whether your version of the runtime is the same as the books' examples. Most of the books available nowadays try to have their codes compatible with VS.net 2003.
  • 3. Exam 70-305
    Hi, what's the best simulation questions for preparing to 70- 305 certification exam? Thank to all Pippo
  • 4. /// I'm MCAD now !!!
    Cleared the 70-310 and I'm a MCAD now !!! I need some advice about what is the next certification and can try now and the exams sequence what I need to do to reach it. Thanks a lot ! -- Alex

Re: encrypted password

Postby Davin Mickelson » Wed, 19 Nov 2003 03:59:15 GMT

On a side note, I don't believe you should be saving encrypted passwords in
your database. Rather you should be saving hash representations of passwords
of authenticated users that will be compared against user-submitted hashed
passwords. Reverse cryptography is then eliminated. If you have access, take
a look at how it is performed in Commerce Server 2002.

Admittedly, I have no knowledge of the software you are developing or why
you are developing it this way.

Good luck,
Davin Mickelson





hi,



I am encountering problem while I am saving my Encrypted
password (as byte) in SQLSERVER2000 using
ASP.NET. Before saving to SQLSERVER on screen the
Encrypted password is as follow:

SY=

After saving to SQLSERVER 2000 its become as follow:


L?s




Following line are showing the part of ASP.NET source file
in order to save the Encrypted password
in SQLSERVER 2000



Dim encoder As New System.Text.UTF8Encoding()

regsp.Parameters.Add(New SqlParameter("@userkey", _
SqlDbType.VarChar, 50)).Value = encoder.GetString
(Encrypted password in byes)



Please help me!


with regards,

Asad


 XXXX@XXXXX.COM 






Re: encrypted password

Postby Jay Walters » Wed, 19 Nov 2003 12:41:30 GMT

Yes, Good Point (Can't believe I didn't pick up on that - 
I'm kind of trendy about security Lol).

Actually - Yes you should hash passwords and encrypt only 
credit card data (or other secure data that you'll need 
to retrieve later). Passwords are something you should 
never need to access as clear text. If you have 
a "retrieve your password" function for your end-users 
(like sending them a copy of their lost password) - you 
should really look at generating them a new password 
after they confirm their birth day and other personal 
info .. and then send it to their email on record.

You should salt the hash with a piece of data that is 
unique to the user login such as their first login date - 
or even better add a guid column and assign a guid on 
account creation. - Hashing is good, but it's possible to 
create a hash dictionary of common passwords and try to 
find equal hash values. Salting the hashing will protect 
the data from easy attacks like this.

Also - in terms of Asymmetric encryption, you should use 
the Rhijdeal algorithm and not TDES as many experts will 
point out.


encrypted passwords in
representations of passwords
user-submitted hashed
you have access, take
developing or why
message


file

Re: encrypted password

Postby Jay Walters » Wed, 19 Nov 2003 12:53:17 GMT

meant symmetric not asymmetric.

As an additional note; if you want to be extra hard core:

They Key and IV that you'll need to generate for the
symmetric algorithm should not be stored as bytes in your
encrypt/decrypt functions .... rather you should print
them out, (or burn a file to CD) and store it somewhere
safe.

You should build a helper application to store the bytes
in the registry and encrypt the bytes using the DPAPI.
Then your app can read from the registry, decrypt the
bytes, and store in memory. Your functions would them get
the clear bytes from memory... Why do all this? because
your assembly can be easily rev-engineered.

Hope this helps.






only

to


Return to mcad

 

Who is online

Users browsing this forum: No registered users and 77 guest