i have application whiwh uses username and password for each user ..
All is in Microsoft access base on user's hard drive..
How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?
how? any link or explanation would be great..
I'm using .NET C#, Framework 1.1
BR
13  1487 
Alfa,
You shouldn't encrypt passwords period. With enough time and processing
power, someone will break it (although some algoritms are more likely to be
broken than others).
What you need to do is use a hash. Take a hash of the password and then
recreate it when people log in. If the hashes match, then you can allow
them to log in. The reason a hash works is that you can not recreate the
password from the hash, it is a one-way transformation.
Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Alfa & Omega" <al*****@gmail.comwrote in message
news:ea**********@ss408.t-com.hr...
>i have application whiwh uses username and password for each user ..
All is in Microsoft access base on user's hard drive..
How can I protect that database from preveting user viewing it...or how
can I prtect passwords?
maybe by cripting them?
how? any link or explanation would be great..
I'm using .NET C#, Framework 1.1
BR
Alfa & Omega wrote:
i have application whiwh uses username and password for each user ..
All is in Microsoft access base on user's hard drive..
How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?
how? any link or explanation would be great..
Not crypting, but hashing them : Take the clear password, give it to an
hash algorithm (SHA-1 for example) and store the resulting hash in the
database. When you want to check a user-supplied password, hash it
using the same algorithm and compare the 2 hashed values (the one you
just computed and the one stored int he database).
Arnaud
MVP - VC
<ad******@club-internet.frwrote in message
news:11**********************@75g2000cwc.googlegro ups.com...
|
| Not crypting, but hashing them : Take the clear password, give it to an
| hash algorithm (SHA-1 for example) and store the resulting hash in the
| database. When you want to check a user-supplied password, hash it
| using the same algorithm and compare the 2 hashed values (the one you
| just computed and the one stored int he database).
|
Thanks for advices, adebaene and Nicholas....
That's all I need..but I just found this: http://www.codeproject.com/cpp/rehash.asp http://www.codeproject.com/dotnet/HackingMd5.asp
md5 cracked or it's fake??
BR
Igor
"Alfa & Omega" <al*****@gmail.coma écrit dans le message de news:
ea*********@ss408.t-com.hr...
<ad******@club-internet.frwrote in message
news:11**********************@75g2000cwc.googlegro ups.com...
|
| Not crypting, but hashing them : Take the clear password, give it to an
| hash algorithm (SHA-1 for example) and store the resulting hash in the
| database. When you want to check a user-supplied password, hash it
| using the same algorithm and compare the 2 hashed values (the one you
| just computed and the one stored int he database).
|
Thanks for advices, adebaene and Nicholas....
That's all I need..but I just found this:
http://www.codeproject.com/cpp/rehash.asp
http://www.codeproject.com/dotnet/HackingMd5.asp
md5 cracked or it's fake??
MD5 is known to have a few weaknesses, that's why I suggested SHA-1.
Arnaud
MVP - VC
<ad******@club-internet.frwrote:
How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?
how? any link or explanation would be great..
Not crypting, but hashing them : Take the clear password, give it to an
hash algorithm (SHA-1 for example) and store the resulting hash in the
database. When you want to check a user-supplied password, hash it
using the same algorithm and compare the 2 hashed values (the one you
just computed and the one stored int he database).
Note that there are times when you *do* want to store an encrypted
password. Web browsers do it all the time, for instance - they save
passwords from forms, and need to present the same password later on.
Likewise Eclipse remembers my Subversion password.
I believe the Windows Cryptography API allows this to be tied closely
and reasonably safely to the current user.
If you only need to *verify* passwords, however, hashing is the right
way to go.
--
Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too
Alfa & Omega <al*****@gmail.comwrote:
i have application whiwh uses username and password for each user ..
All is in Microsoft access base on user's hard drive..
How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?
You shouldn't use a cipher, but rather a hash .. unless you want the password
to be recoverable, but that is less secure.
Use an MD5 has to hash the password. Then, when a user types their password,
you run the MD5 has of that password and compare the result to what is in teh
database.
The reason a hash is better than crypto (like DES) is that it is a one way
algorithm, so there is no chance of somebody stealing the database and
recovering all the passwords from it. With a cipher, they are subject to
brute force hacks.
--
Thomas T. Veldhouse
Key Fingerprint: 2DB9 813F F510 82C2 E1AE 34D0 D69D 1EDC D5EC AED1
Arnaud Debaene <ad******@club-internet.frwrote:
>
MD5 is known to have a few weaknesses, that's why I suggested SHA-1.
Out of curiosity, what weaknesses? My FreeBSD boxes use them to great effect.
--
Thomas T. Veldhouse
Key Fingerprint: 2DB9 813F F510 82C2 E1AE 34D0 D69D 1EDC D5EC AED1
Thomas T. Veldhouse wrote:
Arnaud Debaene <ad******@club-internet.frwrote:
>MD5 is known to have a few weaknesses, that's why I suggested SHA-1.
Out of curiosity, what weaknesses? My FreeBSD boxes use them to great effect.
md5 has been proven to have collisions. ie two values producing the same
hash.
Same for sha1, I believe that sha256 is recommended (over sha1) at the
moment.
In reality the chances are infinitesimally small of a collision actually
happening but if we can easily code around even that small chance then
why not.
Do a google search on sha1 collision and md5 collision for more info.
JB
Alfa & Omega wrote:
i have application whiwh uses username and password for each user ..
All is in Microsoft access base on user's hard drive..
How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?
how? any link or explanation would be great..
I'm using .NET C#, Framework 1.1
BR
As well as what everyone else has said about using hashes, consider a
good salting scheme as well, so that two same passwords do not produce
the same hash.
JB
John B <jb******@yahoo.comwrote:
Out of curiosity, what weaknesses? My FreeBSD boxes use them to great effect.
md5 has been proven to have collisions. ie two values producing the same
hash.
All hash codes will have collisions. That much is clear just from the
pigeon-hole principle. The concern isn't that there *are* collisions -
it's that they can be engineered deliberately.
From what I remember of the MD5 "hole", it wouldn't actually help
anyone to break into such a system. Of course, it's worth researching
what the hole actually is rather than just taking my word for it.
--
Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too
Jon Skeet [C# MVP] wrote:
John B <jb******@yahoo.comwrote:
>>Out of curiosity, what weaknesses? My FreeBSD boxes use them to great effect.
md5 has been proven to have collisions. ie two values producing the same
hash.
All hash codes will have collisions. That much is clear just from the
pigeon-hole principle. The concern isn't that there *are* collisions -
it's that they can be engineered deliberately.
Agreed, sorry.
From what I remember of the MD5 "hole", it wouldn't actually help
anyone to break into such a system. Of course, it's worth researching
what the hole actually is rather than just taking my word for it.
In an interesting side note, the md5 'weakness' was actually used in a
defense against a traffic notice here in Australia recently.
A picture was taken, md5 hash generated for it and the person driving
argued in court that since md5 was 'broken' it was invalid.
The traffic authority was given a period of time to produce expert
witnesses to refute this claim and since they didn't, the case was
thrown out. :)
JB
"John B" <jb******@yahoo.coma écrit dans le message de news:
44**********@news.iprimus.com.au...
>>
In an interesting side note, the md5 'weakness' was actually used in a
defense against a traffic notice here in Australia recently.
A picture was taken, md5 hash generated for it and the person driving
argued in court that since md5 was 'broken' it was invalid.
The traffic authority was given a period of time to produce expert
witnesses to refute this claim and since they didn't, the case was thrown
out. :)
Geee... Lawers will be the last survivors after an atomic holocaust.... :-(
Arnaud
MVP - VC
"John B" <jb******@yahoo.comwrote in message news:44**********@news.iprimus.com.au...
|
| From what I remember of the MD5 "hole", it wouldn't actually help
| anyone to break into such a system. Of course, it's worth researching
| what the hole actually is rather than just taking my word for it.
| >
| In an interesting side note, the md5 'weakness' was actually used in a
| defense against a traffic notice here in Australia recently.
| A picture was taken, md5 hash generated for it and the person driving
| argued in court that since md5 was 'broken' it was invalid.
| The traffic authority was given a period of time to produce expert
| witnesses to refute this claim and since they didn't, the case was
| thrown out. :)
|
| JB
he he....lol ,)..
can't believe this.....
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: siliconmike |
last post by:
Is there a way to protect data files from access by root ?
I have a data-centered website and would like to protect data piracy
from any foot-loose hosting company employee.
Any ideas?
...
|
by: Dakkar |
last post by:
i saw something named obfuscator and its decompiling the source code
of my program which written in c# and my program includes mysql root
password inside of it
is there anyway to protect my...
|
by: Brent Burkart |
last post by:
I want to protect my website with a user and password. I have SQL Server
2000 where I want to store the users and passwords and the website is
complete. I just need to add in some security with...
|
by: SpIcH |
last post by:
Hi All,
This is all about protecting my data in Executable file.
I have developed a program in Visual Basic .NET 2002. I have many
questions in mind... please help me to complete my project.
...
|
by: Dino Buljubasic |
last post by:
Hi,
My application is extensivelly querying a remote server. Somebody
sniffing the traffic could eventually find out all important
information such as passwords (from users in datatables as...
|
by: teejayem |
last post by:
Hi,
I am new to programming with databases and was wanting some help.
Is there any way to password protect an access database and access
sent sql commands to it via vb.net code?
Any help...
|
by: Simon.Whiteside |
last post by:
If someone has created a database for me and transferred it over is
there any way that I can check I have full access to all areas?
I am a beginner with Access and so the development has been...
|
by: Mike |
last post by:
Hi,
If protect MS Access with password it doesn't mean to much. On
internet, we can find plenty tools for opening forgotten passwords
etc.
I have a small c# aplication wit large amount of...
|
by: cefrancke |
last post by:
I have a few tables with sensitive user information (passwords, etc.)
and I would like to prevent someone from opening a blank database and
importing those tables.
Is there a way to "hide" or...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
