473,795 Members | 3,151 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Is this secure

I MD5 encrypt passwords in a user table of my database. I have a global
application object (initiated in global.aspx) which contains a few
static members (for counting users online etc). because the MD5 encrypt
algorithm is used on creation of a new user, and on login of a user, I
considered putting it in a shared place. Would there be any security
risk if I put it as a public static method in the global object? Or is
this a bad idea?

Paul

May 10 '06 #1
20 1475
I can't see any reason why it would be a security risk.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Numbskull

Hard work is a medication for which
there is no placebo.

<Ge**********@g mail.com> wrote in message
news:11******** **************@ u72g2000cwu.goo glegroups.com.. .
I MD5 encrypt passwords in a user table of my database. I have a global
application object (initiated in global.aspx) which contains a few
static members (for counting users online etc). because the MD5 encrypt
algorithm is used on creation of a new user, and on login of a user, I
considered putting it in a shared place. Would there be any security
risk if I put it as a public static method in the global object? Or is
this a bad idea?

Paul

May 10 '06 #2
what if your memory gets hijacked? You might say what?
Ask this question why did Microsoft create System.Security .SecureString()
Sessions can by hijacked etc...

Keep your objects a moving memory target. just make it more difficult.

SA
<Ge**********@g mail.com> wrote in message
news:11******** **************@ u72g2000cwu.goo glegroups.com.. .
I MD5 encrypt passwords in a user table of my database. I have a global
application object (initiated in global.aspx) which contains a few
static members (for counting users online etc). because the MD5 encrypt
algorithm is used on creation of a new user, and on login of a user, I
considered putting it in a shared place. Would there be any security
risk if I put it as a public static method in the global object? Or is
this a bad idea?

Paul

May 10 '06 #3
The encrypt function wouldn't contain anything sensitive as such. It
takes a string, MD5 encrypts it, and returns the encrypted string. Are
you saying persistent objects, such as ones initiated at application
start, are a potential security risk? Also, once I authenticate a user,
I store the fact they are authenticated in an object created at session
start - no sesntive information is there, just their role, username and
isLoggedIn = true etc. Is this wrong to do? If so, what would be a
secure way of maintaining the knowledge a user has successfully logged
in?

paul

May 10 '06 #4
Just reduce the surface of attach, memory/time and make it more difficult
there is no bullet proof way.

Few notes: ( keep an open mind )
What if a super hacker gets into your memory or session and change the role
to Admin role.
I would not store encrypted passwords in the database, I would Hash and Salt
them ( Pepper is optional )
Is Public shared can be easier to access?
After Authentication store the user id then check the role on every page
access. I have seen that on web sites ( no kidding )
that way no one can change the role.
What if they change the Id? if they know it you have a point. You might
issue a GUID with exportation as a token and not an Id.
Expire the Token every few minutes. and renew the GUID with a new
expiration. Then the super hacker need to find the new GUID etc..

To completely not allow hackers to sniff or detect your session then check
out Quantum Optical Photon Encryption.

Thank You,

SA
<Ge**********@g mail.com> wrote in message
news:11******** **************@ i39g2000cwa.goo glegroups.com.. .
The encrypt function wouldn't contain anything sensitive as such. It
takes a string, MD5 encrypts it, and returns the encrypted string. Are
you saying persistent objects, such as ones initiated at application
start, are a potential security risk? Also, once I authenticate a user,
I store the fact they are authenticated in an object created at session
start - no sesntive information is there, just their role, username and
isLoggedIn = true etc. Is this wrong to do? If so, what would be a
secure way of maintaining the knowledge a user has successfully logged
in?

paul

May 10 '06 #5
You are right it has been broken

"Spam Catcher" <sp**********@r ogers.com> wrote in message
news:Xn******** *************** ***********@127 .0.0.1...
Ge**********@gm ail.com wrote in news:1147297682 .398014.186360
@u72g2000cwu.go oglegroups.com:
I MD5 encrypt passwords in a user table of my database.


Actually MD5 is not an encryption algorithm - it only hashs data.

I wouldn't consider MD5 "secure".

May 11 '06 #6
What would be considered a secure way to store passwords?

Paul

May 11 '06 #7
Ok, so is the main potential security risk server side? Is it possible
for people to easily change session data client side? If so, would
checking role each page load be considered too time-consuming on the
DB? Or is this the norm?

Thanks,

Paul

May 11 '06 #8
Yeah, I've read about it being broken, but currently it takes a lot of
processing power and time?

May 11 '06 #9
Ge**********@gm ail.com wrote:
What would be considered a secure way to store passwords?

Paul

Hi Gef

I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.

When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.

If the user changes their password a new salt is generated and stored
again in the database.

Hope this helps.

Regards
Ray
May 11 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
6
4842
Secure and Unsecure Web Directories using Forms Authentication
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my
.NET Framework
4
2915
Pop-up and secure connection
by: debedb | last post by:
Hi all, I have a link, <A onClick="javascript:foo()">. The foo() function does w = window.open('', fieldid+'mywindow', prop); w.document.open(); d = w.document; And proceeds to write stuff there.
Javascript
0
1167
Session over from nonsecure to secure
by: Mike | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of things. What I need to do is to switch to a secure connection and then later on while still in that secure connection delete the cookie that was created on the non- secure side.
ASP.NET
7
3025
Session Scope, over domains and secure connections
by: Seth | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of things. What I need to do is to switch to a secure connection and then later on while still in that secure connection delete the cookie that was created on the non- secure side. I need to do this because I can not reference the non-secure cookie...
ASP.NET
1
1649
Switching to the secure page looses authentication...
by: Iulian Ionescu | last post by:
I have a page (http://www.something.com/) and a secure page (https://secure.something.com) and the secure.something.com points to http://www.something.com/secure/ All works ok, but, when I transfer to one of the pages on the secure directory all gets lost. First of all, I had to basically duplicate my web application assembly in the secure folder. I created a "secureWrapper" solution and I added the main web application as a reference,...
ASP.NET
5
2176
Share session between secure and non-secure applications
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for this? Most of the site allows the user to add things to a cart (non-secure), once they choose to check-out, I need this information which was stored in the session to be read by the payment page(secured). Hope this makes sense. It's probably...
ASP.NET
40
2817
secure integer library
by: Robert Seacord | last post by:
The CERT/CC has released a beta version of a secure integer library for the C Programming Language. The library is available for download from the CERT/CC Secure Coding Initiative web page at: http://www.cert.org/secure-coding/ The purpose of this library is to provide a collection of utility functions that can assist software developers in writing C programs that are free from common integer problems such as integer overflow, integer...
C / C++
7
4967
CERT C Programming Language Secure Coding Standard
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already developed significant content for the C programming language that is available at: https://www.securecoding.cert.org/ by clicking on the "CERT C Programming Language Secure Coding Standard"
C / C++
0
2346
Navigation between Secure and Non-secure Pages
by: amitvps | last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome jobs. When a non-secure page references a secure page with relative URL, the web server generates error until absolute URL with https prefix is used. On the other hand when a secure page references a non-secure page, the non-secure page will be...
ASP / Active Server Pages
3
2756
Do checked iterators/containers make code more secure?
by: zr | last post by:
Hi, Does usage of checked iterators and checked containers make code more secure? If so, can that code considered to be reasonably secure?
C / C++
0
10438
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
1
10164
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
10001
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
9042
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
6780
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5437
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5563
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4113
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3727
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us