My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Thursday, November 20, 2003
« Windows XP: Surviving the First Day | Main | Firewall Forensics: How to Read your Log... »

.... I already used hashing method, what is called one-way encryption.

I didn't know that you have also a two-way method, AES (Advanced Encryption Standard) based on a 256 bit key.
To say the least, surely secure enough!

James's article includes also a C# implementation. I think using it for the case I store user passwords, and I need an admin to be able to retrieve and decrypt a lost password.
[Paschal L]

The built-in crypto capabilities of the .NET framework are pretty extensive. It contains the ability to do both Symmetric (DES, RC2, Rijndael, TripleDES) and Asymmetric Encryption (DSA, RSA) as well as Hashing (MD5, SHA1, SHA256, SHA384, SHA512).

As far as storing passwords in a database. DON'T!  One of the basic tenets of security is that if you don't need to keep a secret, don't! Passwords are a great example where this should be followed. Hash or even better store a salted hash of the password.

The byproduct of this of course is, how do you go about doing password resets?

Couple of ways I can think of are to have password hints that you are provided by the user when the account is set up that are provided by the user when the password needs to be changed or sending out a temp password to an known and verified e-mail account on file with an explicit and short time window during which you can make the password change.

Of course, for highly secure apps, the cleanest would be to provide a phone number where a human actually verifies the identity of the user and does temp password reset.

[Now Playing: Mitwa - Lagaan]

Tags:: Security
11/20/2003 9:11 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.