[WEB SECURITY] FW: Password Manager with Fingerprint Verification

Gautam itsecanalyst at gmail.com
Thu Jun 9 15:06:59 EDT 2011


Thomas: Thanks for that Link, It was a good read and a good info. I agree
still need to read more on this to get comfortable.

Vikneshwaran: In my view for passwords you should salt it and hash it, now
the question on how many times you want to call this function
'hash(salt+hash(salt+hash(salt+plain text))', it will depend on the
library/technology you are using and if anything like that would work. There
are many factors to this,


   - Each time you have a hash function there are some CPU cycle you will
   use. Is it worth for that
   - Can you afford to keep your user waiting "We are checking your
   credentials" for 5 seconds :-)
   - Are you going to have same salt or different salt for every iteration
   - Where are you storing these salts. (In my view they should be in a
   separate table and always different for every user)


In plain vanilla application i would say SHA128(salt+plain_text) should be
enough, if you want more think about layered security and not just
passwords.

I am not a guru on this and, however I am sure this is what anyone should
do. Folks here 'MustLive' (i like this guy) and others can comment/correct
me.

*Reference:*

I like some cool tools that Steve Gibson provide for research and analysis,
try this one "https://www.grc.com/haystack.htm" or search his website for
more reference.
There is also a good read on hashing i read sometime back->
http://www.zyxist.com/en/archives/111.


Hope all this helps.

Gautam

On Thu, Jun 9, 2011 at 8:51 AM, Thomas Ptacek <thomas at matasano.com> wrote:

> http://codahale.com/how-to-safely-store-a-password/
>
> Just read this article and do exactly what it says.
>
> On Jun 8, 2011, at 6:34 PM, Vikneswaran Kunasegaran wrote:
>
> Hi Gautham..
>
> So in your email below are you stating that without encryption, salting and
> hashing alone would be secured and difficult to crack by unauthorised
> people? I was just thinking too much on how to make my databse secure maybe
> thats why I got into this. Sorry though hehe. So, in your opinion, what
> would be your advise if I wanted to salt this password for a 1000 times and
> then hash it as this was a comment from another person who replied my email.
> Is it okay or the suggestion you made is secured enough. Kindly awaiting
> your reply on this. And thank you very much for replying me Mr Gautham.
> Really appreciate it.
>
> Have a nice day.
>
> ------------------------------
> Date: Tue, 7 Jun 2011 16:15:30 -0700
> Subject: Re: Password Manager with Fingerprint Verification
> From: itsecanalyst at gmail.com
> To: rmc_0306 at hotmail.com
> CC: security-basics at securityfocus.com; websecurity at webappsec.org
>
> I am still trying to get my understanding clear here. why would you want to
> (salted+hash) and then encrypt it. Is just getting a hash not enough, you
> can do salted+sha256 and you should be good.
>
> if you want a clear text password, then you might want to encrypt it,
> however it all depends what is the final use of these credentials. There are
> more controls that you would need to get in place if you want to
> encrypt-decrypt and then key management is a big issue that you need to
> think.
>
> G
>
> On Tue, May 31, 2011 at 6:01 PM, <rmc_0306 at hotmail.com> wrote:
>
> Hello Friends.
>
> Im a final year student for COmputer Security / Forensic. Im planning to do
> a project which requires me to do encryption and decryption. My possible
> choice of language would be VB.Net. I was wondering if wad is running in
> my mind can be executed. Well, I would make a application where a part of it
> wil be promting the guest to register and I wanted to store the password in
> the database. I did some research and came across Salting and Hashing. I
> was wondering if is it possible to get the password which the user enters,
> salt it, hash it and encrypt it before I store in the database. If so,
> what is the best secured strong encryption can I use in VB.net. Because
> through out the research I have done, i have sen RInjdael as the most fav
> encryption algo which alot of programmers using. JUst a though on this.
> Kindly advise me. Thank you for your generous help and for reading query.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and how
> your customers can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on your Apache web
> server. Throughout, best practices for set-up are highlighted to help you
> ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
> ---
> Thomas Ptacek // matasano security // founder, product manager
> reach me direct: 888-677-0666 x7805
>
> "The truth will set you free. But not until it is finished with you."
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110609/b0c139f2/attachment-0003.html>


More information about the websecurity mailing list