I MD5 encrypt passwords in a user table of my database. I have a global
application object (initiated in global.aspx) which contains a few
static members (for counting users online etc). because the MD5 encrypt
algorithm is used on creation of a new user, and on login of a user, I
considered putting it in a shared place. Would there be any security
risk if I put it as a public static method in the global object? Or is
this a bad idea?
Paul
May 10 '06
20  1478 
I thank you both for this, very informative, thread.
Juan T. Llibre, asp.net MVP
aspnetfaq.com : http://www.aspnetfaq.com/
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
=============== =============== =====
<Ge**********@g mail.com> wrote in message
news:11******** **************@ j73g2000cwa.goo glegroups.com.. . Ray Booysen wrote: Ge**********@gm ail.com wrote: > Ray Booysen wrote:
>> Ge**********@gm ail.com wrote:
>>> Ray Booysen wrote:
>>>> Ge**********@gm ail.com wrote:
>>>>> What would be considered a secure way to store passwords?
>>>>>
>>>>> Paul
>>>>>
>>>> Hi Gef
>>>>
>>>> I use SHA1 to hash my passwords. When a user is created on my site, his
>>>> password prefixed with a randomly generated salt and hashed with SHA1.
>>>> Both the hashed password and salt are stored in the database.
>>>>
>>>> When the user logs in, his password is sent to the SQL server in plain
>>>> text through a stored proc and the stored procedure returns whether it
>>>> is correct or not, the salt and hash never leave the database once there.
>>>>
>>>> If the user changes their password a new salt is generated and stored
>>>> again in the database.
>>>>
>>>> Hope this helps.
>>>>
>>>> Regards
>>>> Ray
>>> Hi Ray,
>>>
>>> I've created a class to create a random salt, use it with a password
>>> to created a salted hash and then put it and the salt into the db.
>>> I'm curious as to what stored proc you use to validate a login
>>> password. When the user wishes to log in, they will supply their
>>> password, but then i'd need the salt to create a saltedhash to compare
>>> against the one in the database. Wouldn't this mean pulling the salt
>>> for the uer out to create the saltedhash?
>>>
>>> Paul
>>>
>> For the case of authenticating, the user name and password is passed to
>> the database. In the stored proc, the password is salted with the
>> stored salt and hashed. Then this hash is compared to the stored hashed
>> password. If they are the same, you can pass back true or 1 or whatever
>> you want.
>>
>> Let me know if you need any other info! :)
>>
>> Regards
>> Ray
>
> Hi Ray,
>
> Thanks for the answers :). I'm currently using MySQL server with this
> project, and it doesn't contain any functionality for hashing etc (as
> far as I am aware anyway). So this means I would have to create the
> hash outside the DB. Would pulling the salt out to create the salted
> hash when a user tries to log in create any huge security risk? (I
> can't see another way of doing this with MySQL server - but i'm still
> learning so i might have missed something).
>
> Paul
>
MySQL can create the hashes for you, the functions are built in. E.g.
SELECT MD5(FullName) FROM Customer will create a hash for you. The SHA
hash functions also exist.
I suppose unless you're using the latest version, you won't have access
to stored procedures.
Its not really a security risk as the highest risk there would be the
transfer of the salted hash and the salt from the database. All the
processing will happen server side and shouldn't be too much of a
problem. (I'm sure the more paranoid of the forum will quickly say
differently. ;) )
Hope this helps.
Regards
Ray
Thanks again Ray :).
I am using MYSQL5, and tried looking through the online manual for
hash functions but couldn't seem to find any. I'll take another look.
Thanks again, you've been a huge help :)
Paul This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms
Authentication set up and it worked just fine. Then I
realized that I needed to have some pages unsecure.
I then created 2 directories. One named Secure and the
other named Public. I placed my web.config file in my
|
by: debedb |
last post by:
Hi all,
I have a link, <A onClick="javascript:foo()">. The
foo() function does
w = window.open('', fieldid+'mywindow', prop);
w.document.open();
d = w.document;
And proceeds to write stuff there.
|
by: Mike |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side.
|
by: Seth |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side. I need to do this because I can not
reference the non-secure cookie...
|
by: Iulian Ionescu |
last post by:
I have a page (http://www.something.com/) and a secure page (https://secure.something.com) and the secure.something.com points to http://www.something.com/secure/
All works ok, but, when I transfer to one of the pages on the secure directory all gets lost. First of all, I had to basically duplicate my web application assembly in the secure folder. I created a "secureWrapper" solution and I added the main web application as a reference,...
| | |
by: Joe |
last post by:
I have an application which runs in a non-secure environment. I also have an
application that runs in a secure environment (both on the same machine). Is
there any way to share the session data for this?
Most of the site allows the user to add things to a cart (non-secure), once
they choose to check-out, I need this information which was stored in the
session to be read by the payment page(secured).
Hope this makes sense. It's probably...
|
by: Robert Seacord |
last post by:
The CERT/CC has released a beta version of a secure integer library for
the C Programming Language. The library is available for download from
the CERT/CC Secure Coding Initiative web page at:
http://www.cert.org/secure-coding/
The purpose of this library is to provide a collection of utility
functions that can assist software developers in writing C programs that
are free from common integer problems such as integer overflow, integer...
|
by: Robert Seacord |
last post by:
The CERT/CC has just deployed a new web site dedicated to developing
secure coding standards for the C programming language, C++, and
eventually other programming language.
We have already developed significant content for the C programming
language that is available at:
https://www.securecoding.cert.org/
by clicking on the "CERT C Programming Language Secure Coding Standard"
|
by: amitvps |
last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome jobs.
When a non-secure page references a secure page with relative URL, the web server generates error until absolute URL with https prefix is used. On the other hand when a secure page references a non-secure page, the non-secure page will be...
|
by: zr |
last post by:
Hi,
Does usage of checked iterators and checked containers make code more
secure?
If so, can that code considered to be reasonably secure?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
