I MD5 encrypt passwords in a user table of my database. I have a global
application object (initiated in global.aspx) which contains a few
static members (for counting users online etc). because the MD5 encrypt
algorithm is used on creation of a new user, and on login of a user, I
considered putting it in a shared place. Would there be any security
risk if I put it as a public static method in the global object? Or is
this a bad idea?
Paul
May 10 '06
20  1478 
Ray Booysen wrote: Ge**********@gm ail.com wrote: What would be considered a secure way to store passwords?
Paul
Hi Gef
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
Thats a big help. I've just rewritten the password section to use sha1
+ salt. As stated in a previous post, I currently store a users role
and ID in a session var. But another poster stated this is a security
risk as the role might be changed within the session. A solution is to
just store the user ID and use it to check the role in the db each page
load. Does this sound like a safe way of doing this? I'm just concerned
about the DB getting hit each page load first for role check and then
to pull out the needed data.
Paul
Ray Booysen wrote: Ge**********@gm ail.com wrote: What would be considered a secure way to store passwords?
Paul
Hi Gef
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?
Paul Ge**********@gm ail.com wrote: Ray Booysen wrote: Ge**********@gm ail.com wrote: What would be considered a secure way to store passwords?
Paul
Hi Gef
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
Thats a big help. I've just rewritten the password section to use sha1
+ salt. As stated in a previous post, I currently store a users role
and ID in a session var. But another poster stated this is a security
risk as the role might be changed within the session. A solution is to
just store the user ID and use it to check the role in the db each page
load. Does this sound like a safe way of doing this? I'm just concerned
about the DB getting hit each page load first for role check and then
to pull out the needed data.
Paul
I wouldn't worry too much on the role being only in the database. If
your site does become very busy, the role DB hit will be one of many
"expenses" that you could look at to fix.
For the moment, pulling from the DB shouldn't be too much of a problem. Ge**********@gm ail.com wrote: Ray Booysen wrote: Ge**********@gm ail.com wrote: What would be considered a secure way to store passwords?
Paul
Hi Gef
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?
Paul
For the case of authenticating, the user name and password is passed to
the database. In the stored proc, the password is salted with the
stored salt and hashed. Then this hash is compared to the stored hashed
password. If they are the same, you can pass back true or 1 or whatever
you want.
Let me know if you need any other info! :)
Regards
Ray
Ray Booysen wrote: Ge**********@gm ail.com wrote: Ray Booysen wrote: Ge**********@gm ail.com wrote:
What would be considered a secure way to store passwords?
Paul
Hi Gef
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?
Paul
For the case of authenticating, the user name and password is passed to
the database. In the stored proc, the password is salted with the
stored salt and hashed. Then this hash is compared to the stored hashed
password. If they are the same, you can pass back true or 1 or whatever
you want.
Let me know if you need any other info! :)
Regards
Ray
Hi Ray,
Thanks for the answers :). I'm currently using MySQL server with this
project, and it doesn't contain any functionality for hashing etc (as
far as I am aware anyway). So this means I would have to create the
hash outside the DB. Would pulling the salt out to create the salted
hash when a user tries to log in create any huge security risk? (I
can't see another way of doing this with MySQL server - but i'm still
learning so i might have missed something).
Paul Ge**********@gm ail.com wrote: Ray Booysen wrote: Ge**********@gm ail.com wrote: Ray Booysen wrote:
Ge**********@gm ail.com wrote:
> What would be considered a secure way to store passwords?
>
> Paul
>
Hi Gef
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?
Paul
For the case of authenticating, the user name and password is passed to
the database. In the stored proc, the password is salted with the
stored salt and hashed. Then this hash is compared to the stored hashed
password. If they are the same, you can pass back true or 1 or whatever
you want.
Let me know if you need any other info! :)
Regards
Ray
Hi Ray,
Thanks for the answers :). I'm currently using MySQL server with this
project, and it doesn't contain any functionality for hashing etc (as
far as I am aware anyway). So this means I would have to create the
hash outside the DB. Would pulling the salt out to create the salted
hash when a user tries to log in create any huge security risk? (I
can't see another way of doing this with MySQL server - but i'm still
learning so i might have missed something).
Paul
MySQL can create the hashes for you, the functions are built in. E.g.
SELECT MD5(FullName) FROM Customer will create a hash for you. The SHA
hash functions also exist.
I suppose unless you're using the latest version, you won't have access
to stored procedures.
Its not really a security risk as the highest risk there would be the
transfer of the salted hash and the salt from the database. All the
processing will happen server side and shouldn't be too much of a
problem. (I'm sure the more paranoid of the forum will quickly say
differently. ;) )
Hope this helps.
Regards
Ray
Ray Booysen wrote: Ge**********@gm ail.com wrote: Ray Booysen wrote: Ge**********@gm ail.com wrote:
Ray Booysen wrote:
> Ge**********@gm ail.com wrote:
>> What would be considered a secure way to store passwords?
>>
>> Paul
>>
> Hi Gef
>
> I use SHA1 to hash my passwords. When a user is created on my site, his
> password prefixed with a randomly generated salt and hashed with SHA1.
> Both the hashed password and salt are stored in the database.
>
> When the user logs in, his password is sent to the SQL server in plain
> text through a stored proc and the stored procedure returns whether it
> is correct or not, the salt and hash never leave the database once there.
>
> If the user changes their password a new salt is generated and stored
> again in the database.
>
> Hope this helps.
>
> Regards
> Ray
Hi Ray,
I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?
Paul
For the case of authenticating, the user name and password is passed to
the database. In the stored proc, the password is salted with the
stored salt and hashed. Then this hash is compared to the stored hashed
password. If they are the same, you can pass back true or 1 or whatever
you want.
Let me know if you need any other info! :)
Regards
Ray
Hi Ray,
Thanks for the answers :). I'm currently using MySQL server with this
project, and it doesn't contain any functionality for hashing etc (as
far as I am aware anyway). So this means I would have to create the
hash outside the DB. Would pulling the salt out to create the salted
hash when a user tries to log in create any huge security risk? (I
can't see another way of doing this with MySQL server - but i'm still
learning so i might have missed something).
Paul
MySQL can create the hashes for you, the functions are built in. E.g.
SELECT MD5(FullName) FROM Customer will create a hash for you. The SHA
hash functions also exist.
I suppose unless you're using the latest version, you won't have access
to stored procedures.
Its not really a security risk as the highest risk there would be the
transfer of the salted hash and the salt from the database. All the
processing will happen server side and shouldn't be too much of a
problem. (I'm sure the more paranoid of the forum will quickly say
differently. ;) )
Hope this helps.
Regards
Ray
Thanks again Ray :).
I am using MYSQL5, and tried looking through the online manual for
hash functions but couldn't seem to find any. I'll take another look.
Thanks again, you've been a huge help :)
Paul Ge**********@gm ail.com wrote: Ray Booysen wrote: Ge**********@gm ail.com wrote: Ray Booysen wrote:
Ge**********@gm ail.com wrote:
> Ray Booysen wrote:
>> Ge**********@gm ail.com wrote:
>>> What would be considered a secure way to store passwords?
>>>
>>> Paul
>>>
>> Hi Gef
>>
>> I use SHA1 to hash my passwords. When a user is created on my site, his
>> password prefixed with a randomly generated salt and hashed with SHA1.
>> Both the hashed password and salt are stored in the database.
>>
>> When the user logs in, his password is sent to the SQL server in plain
>> text through a stored proc and the stored procedure returns whether it
>> is correct or not, the salt and hash never leave the database once there.
>>
>> If the user changes their password a new salt is generated and stored
>> again in the database.
>>
>> Hope this helps.
>>
>> Regards
>> Ray
> Hi Ray,
>
> I've created a class to create a random salt, use it with a password
> to created a salted hash and then put it and the salt into the db.
> I'm curious as to what stored proc you use to validate a login
> password. When the user wishes to log in, they will supply their
> password, but then i'd need the salt to create a saltedhash to compare
> against the one in the database. Wouldn't this mean pulling the salt
> for the uer out to create the saltedhash?
>
> Paul
>
For the case of authenticating, the user name and password is passed to
the database. In the stored proc, the password is salted with the
stored salt and hashed. Then this hash is compared to the stored hashed
password. If they are the same, you can pass back true or 1 or whatever
you want.
Let me know if you need any other info! :)
Regards
Ray
Hi Ray,
Thanks for the answers :). I'm currently using MySQL server with this
project, and it doesn't contain any functionality for hashing etc (as
far as I am aware anyway). So this means I would have to create the
hash outside the DB. Would pulling the salt out to create the salted
hash when a user tries to log in create any huge security risk? (I
can't see another way of doing this with MySQL server - but i'm still
learning so i might have missed something).
Paul
MySQL can create the hashes for you, the functions are built in. E.g.
SELECT MD5(FullName) FROM Customer will create a hash for you. The SHA
hash functions also exist.
I suppose unless you're using the latest version, you won't have access
to stored procedures.
Its not really a security risk as the highest risk there would be the
transfer of the salted hash and the salt from the database. All the
processing will happen server side and shouldn't be too much of a
problem. (I'm sure the more paranoid of the forum will quickly say
differently. ;) )
Hope this helps.
Regards
Ray
Thanks again Ray :).
I am using MYSQL5, and tried looking through the online manual for
hash functions but couldn't seem to find any. I'll take another look.
Thanks again, you've been a huge help :)
Paul
Sure thing! :)
Paul,
time-consuming? it really depend on your application and number of users
hitting your website.
You might not want to go that route but again it depends.
There is no session data on the client side. But you can get attacked from
the outside.
You have to be a very good hacker with resources to hack or hijack a
session.
Just reduce the surface of attack as much as you can, taking into
consideration performance and how secure you want your website to be.
It is a balancing act. No one can give you the perfect and exact solution.
Keep in mind the possibilities and work with it.
You can have hackers coming at your server from the outside or someone from
the inside.
You need to protect all your servers, Web, Apps, Sql. Need to protect
Physical Hardware also and social engineering attacks.
SA
<Ge**********@g mail.com> wrote in message
news:11******** **************@ i40g2000cwc.goo glegroups.com.. . Ok, so is the main potential security risk server side? Is it possible
for people to easily change session data client side? If so, would
checking role each page load be considered too time-consuming on the
DB? Or is this the norm?
Thanks,
Paul
Paul,
What I do in my business layer I get the salt, then I use my custom classes
to hash the passed in password then send the Hash to a Stored Proc to
compare etc..
You can always do all of that on the database side also. ( we did not )
SA
<Ge**********@g mail.com> wrote in message
news:11******** **************@ j73g2000cwa.goo glegroups.com.. . Ray Booysen wrote: Ge**********@gm ail.com wrote: > Ray Booysen wrote:
>> Ge**********@gm ail.com wrote:
>>> Ray Booysen wrote:
>>>> Ge**********@gm ail.com wrote:
>>>>> What would be considered a secure way to store passwords?
>>>>>
>>>>> Paul
>>>>>
>>>> Hi Gef
>>>>
>>>> I use SHA1 to hash my passwords. When a user is created on my site,
>>>> his
>>>> password prefixed with a randomly generated salt and hashed with
>>>> SHA1.
>>>> Both the hashed password and salt are stored in the database.
>>>>
>>>> When the user logs in, his password is sent to the SQL server in
>>>> plain
>>>> text through a stored proc and the stored procedure returns whether
>>>> it
>>>> is correct or not, the salt and hash never leave the database once
>>>> there.
>>>>
>>>> If the user changes their password a new salt is generated and
>>>> stored
>>>> again in the database.
>>>>
>>>> Hope this helps.
>>>>
>>>> Regards
>>>> Ray
>>> Hi Ray,
>>>
>>> I've created a class to create a random salt, use it with a password
>>> to created a salted hash and then put it and the salt into the db.
>>> I'm curious as to what stored proc you use to validate a login
>>> password. When the user wishes to log in, they will supply their
>>> password, but then i'd need the salt to create a saltedhash to
>>> compare
>>> against the one in the database. Wouldn't this mean pulling the salt
>>> for the uer out to create the saltedhash?
>>>
>>> Paul
>>>
>> For the case of authenticating, the user name and password is passed
>> to
>> the database. In the stored proc, the password is salted with the
>> stored salt and hashed. Then this hash is compared to the stored
>> hashed
>> password. If they are the same, you can pass back true or 1 or
>> whatever
>> you want.
>>
>> Let me know if you need any other info! :)
>>
>> Regards
>> Ray
>
> Hi Ray,
>
> Thanks for the answers :). I'm currently using MySQL server with this
> project, and it doesn't contain any functionality for hashing etc (as
> far as I am aware anyway). So this means I would have to create the
> hash outside the DB. Would pulling the salt out to create the salted
> hash when a user tries to log in create any huge security risk? (I
> can't see another way of doing this with MySQL server - but i'm still
> learning so i might have missed something).
>
> Paul
>
MySQL can create the hashes for you, the functions are built in. E.g.
SELECT MD5(FullName) FROM Customer will create a hash for you. The SHA
hash functions also exist.
I suppose unless you're using the latest version, you won't have access
to stored procedures.
Its not really a security risk as the highest risk there would be the
transfer of the salted hash and the salt from the database. All the
processing will happen server side and shouldn't be too much of a
problem. (I'm sure the more paranoid of the forum will quickly say
differently. ;) )
Hope this helps.
Regards
Ray
Thanks again Ray :).
I am using MYSQL5, and tried looking through the online manual for
hash functions but couldn't seem to find any. I'll take another look.
Thanks again, you've been a huge help :)
Paul This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms
Authentication set up and it worked just fine. Then I
realized that I needed to have some pages unsecure.
I then created 2 directories. One named Secure and the
other named Public. I placed my web.config file in my
|
by: debedb |
last post by:
Hi all,
I have a link, <A onClick="javascript:foo()">. The
foo() function does
w = window.open('', fieldid+'mywindow', prop);
w.document.open();
d = w.document;
And proceeds to write stuff there.
|
by: Mike |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side.
|
by: Seth |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side. I need to do this because I can not
reference the non-secure cookie...
|
by: Iulian Ionescu |
last post by:
I have a page (http://www.something.com/) and a secure page (https://secure.something.com) and the secure.something.com points to http://www.something.com/secure/
All works ok, but, when I transfer to one of the pages on the secure directory all gets lost. First of all, I had to basically duplicate my web application assembly in the secure folder. I created a "secureWrapper" solution and I added the main web application as a reference,...
| | |
by: Joe |
last post by:
I have an application which runs in a non-secure environment. I also have an
application that runs in a secure environment (both on the same machine). Is
there any way to share the session data for this?
Most of the site allows the user to add things to a cart (non-secure), once
they choose to check-out, I need this information which was stored in the
session to be read by the payment page(secured).
Hope this makes sense. It's probably...
|
by: Robert Seacord |
last post by:
The CERT/CC has released a beta version of a secure integer library for
the C Programming Language. The library is available for download from
the CERT/CC Secure Coding Initiative web page at:
http://www.cert.org/secure-coding/
The purpose of this library is to provide a collection of utility
functions that can assist software developers in writing C programs that
are free from common integer problems such as integer overflow, integer...
|
by: Robert Seacord |
last post by:
The CERT/CC has just deployed a new web site dedicated to developing
secure coding standards for the C programming language, C++, and
eventually other programming language.
We have already developed significant content for the C programming
language that is available at:
https://www.securecoding.cert.org/
by clicking on the "CERT C Programming Language Secure Coding Standard"
|
by: amitvps |
last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome jobs.
When a non-secure page references a secure page with relative URL, the web server generates error until absolute URL with https prefix is used. On the other hand when a secure page references a non-secure page, the non-secure page will be...
|
by: zr |
last post by:
Hi,
Does usage of checked iterators and checked containers make code more
secure?
If so, can that code considered to be reasonably secure?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
