<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
<br> Hello guys. <BR> <BR>I need a slight help from you guys in my project in coding using C++. Im trying to figure out wads wrong with the code and im left with one error. Can you guys look at it for me please. The code is as per attached. Its a console application for C++.<BR><div><hr id="stopSpelling">Date: Sun, 12 Jun 2011 04:45:16 +0100<br>From: jim@manico.net<br>To: thomas@matasano.com<br>CC: rmc_0306@hotmail.com; security-basics@securityfocus.com; itsecanalyst@gmail.com; websecurity@webappsec.org<br>Subject: Re: [WEB SECURITY] FW: Password Manager with Fingerprint Verification<br><br>

  

<meta name="Generator" content="Microsoft SafeHTML">
    
  
  
    > I don't understand what "static bcrypt" is.<br>
    <br>
    No problem Thomas, I'm here to help. I was referring to using bcrypt
    without setting a strong work factor or using bcrypt without
    increasing the work factor over time. As hardware and cloud hash
    cracking capabilities increase over time, the effectiveness of
    bcrypt's default work factor decreases. So it's prudent to increase
    your work factor over time.  Like your referenced article says, as
    of Feb 2011, for about $300/hour, you could crack around
    500,000,000,000 candidate passwords a second. Where are we going to
    be in 10 years?<br>
    <br>
    > The default work factor for bcrypt (in most libraries, this
    number is "10") is so much more effective than any other password
    hashing strategy that it is unnecessary to recommend an alternative.
    <br>
    <br>
    I politely disagree. "Most Libraries" makes me nervous. You need to
    increase the work factor over time to account for the rapid increase
    in hardware and cloud capabilities. I also thinks it prudent to
    suggest an explicit initial work factor (even if that number is 10
    and is frequently the default work factor), and that recommendation
    should change over time. The article you referred to below failed to
    mention either of these recommendations. Relying strictly on
    computability time is a temporary solution at best.<br>
    <br>
    > Dialing up the work factor imposes application costs. bcrypt
    with a work factor of 12 is probably too slow for any popular web
    application. Again: this cost/benefit tradeoff is the point of
    bcrypt, not a liability. But it's also a reason why you don't bother
    telling people to noodle around changing their cost factors.<br>
    <br>
    The whole point of a good password storage strategy is to slow down
    the process of verification. "work factor 10" processing time is
    dependent on hardware. It might be great today, but may not be in 10
    years.<br>
    <br>
    > Every article about bcrypt makes a point of saying the work
    factor is tunable. That is, after all, the point of bcrypt.<br>
    <br>
    So, you are saying that we should not change the work factor, but it
    is tunable? I'm confused at the point you are trying to make.<br>
    <br>
    > "Secret salt" schemes are flawed, universally. If you are
    depending on a bare cryptographic hash with a "salt" for your
    security, without a vetted iterating/stretching construct, you are
    in fact introducing vulnerabilities into your applications. We would
    tend to document any such schemes as vulnerabilities in assessments;
    that's how clear this issue is. <br>
    <br>
    I'm sure we can all agree that per-user salting IS critical to avoid
    users with the same passwords having the same hash. This is why
    bcrypt salts under the hood and stores it with the hash by default.
    The issue we are debating is the power of salt isolation. I prefer
    to store the hash in the database but put the salt on the file
    system. For example, suppose an inside attacker gets his paws on
    your database backup where all your sensitive data is encrypted and
    the passwords are hashed  (but the attacker does not have access to
    the live server file system).  The solution with salt isolation
    would be stronger in this situation.<br>
    <br>
    > Don't use salted hashes to store passwords. They are
    inadequate.<br>
    <br>
    I agree. You need to use a salted hash AND iterate that hash
    thousands of times. And you need to increase that hash iteration
    count over time.<br>
    <br>
    So if you you are going to go the bcrypt route, make sure you have a
    solid and well-vetted implementation[1]. You may also want to
    suggest a work factor of 10 today and increase it by 1 every 10
    years. You should also rip the salt from the computed bcrypt hash
    and isolate it. <br>
    <br>
    So if you are going to go the PBKDF2-like route, a minimum of 1000
    hash iterations is recommended in RSA PKCS5 standard (which is used
    under the hood of PBKDF2).  I recommend 1000 sha-2 iterations as of
    y2k and double that every 2 years[2]. <br>
    <br>
    For bonus points, re-hash the password each time the users logs in
    and generate a new salt for either bcrypt or PBKDF2 schemes.<br>
    <br>
    And if you are only depending on a password as a sole credential,
    probably a bad idea. The era of passwords is dead! In a 2 factor
    authN system, your password policy and your storage mechanism can be
    a lot weaker without reducing risk. Time to move to 2-factor
    solutions like those powerful and potent RSA tokens. *wink* <br>
    <br>
    - Jim<br>
    <br>
    [1] Nail in the coffin regarding using bcrypt for hashing (for some
    shops) is that blowfish is banned by most business encryption
    standards as well as FIPS-140.<br>
    <br>
    [2]  I'm starting to think that the time horizon also needs to
    change over time for setting a new hash iteration count for
    PBKDF2-like schemes. Or even better, I'm experimenting with
    re-computing (and increasing) the needed hash iteration count during
    run-time for the brief moment in time that I have the password in
    memory during login and can re-hash on the fly. This might add a few
    more lines of code to the implementation but will slow down login
    attempts a little bit over time - which is cool for security but is
    no-no for most shops. Depends on your biz requirements and risk
    tolerance.<br>
    <br>
    <blockquote cite="mid:401ABA2B-680D-4B9A-9718-57072E11C780@matasano.com">
      <div><br>
      </div>
      <div>
        <div>On Jun 9, 2011, at 1:39 PM, James Manico wrote:
          <div><br class="ecxApple-interchange-newline">
            <blockquote>
              <div>
                <div>Using bcrypt in a static way is a poor idea. You
                  must also increase the work factor over time. The
                  article below fails to recommend a specific work
                  factor nor does it suggest that the work factor needs
                  to increase over time.</div>
                <div><br>
                </div>
                <div>Bcrypt is a good solution for password storage,
                  don't get me wrong, but it's not the only solution.</div>
                <div><br>
                </div>
                <div>Salting can also lower dictionary attack risks in
                  some situations if you isolate the salt from the hash.</div>
                <div><br>
                </div>
                <div>Respectfully,</div>
                <div>Jim Manico</div>
                <div><br>
                  On Jun 9, 2011, at 19:31, Thomas Ptacek <<a href="mailto:thomas@matasano.com">thomas@matasano.com</a>>
                  wrote:<br>
                  <br>
                </div>
                <blockquote>
                  <div>You're right; they can only use bcrypt if they're
                    on Rails, Python, PHP, Perl, .NET, Java, C/C++, or
                    Erlang.
                    <div><br>
                    </div>
                    <div>Iterating SHA256 correctly is a little trickier
                      than just repeatedly rehashing (see: RFC2898 for
                      PBKDF2), but does work.</div>
                    <div><br>
                    </div>
                    <div>In working with and talking to over a hundred
                      startup web developers, I've learned that when you
                      leave password hashing open to implementation (for
                      instance, by rolling your own "stretched" SHA256),
                      you end up with people who use secret salts. It's
                      better --- it's just better --- to use bcrypt. </div>
                    <div><br>
                      <div>
                        <div>On Jun 9, 2011, at 1:27 PM, James Manico
                          wrote:</div>
                        <br class="ecxApple-interchange-newline">
                        <blockquote>
                          <div>
                            <div>Not everyone had access to bcrypt.
                              Iterating the hash thousands of times
                              mitigates the concern in the paper below.
                              This hash iteration count is basically the
                              same thing as bcrypts work factor and just
                              like using bcrypt this work factor will
                              need to be increased over time.</div>
                            <div><br>
                            </div>
                            <div>Hash iteration count was recommended to
                              be 1000 in the year 2000 and should be
                              doubled every three years to be in line
                              with bcrypts work factor recommendations.</div>
                            <div><br>
                            </div>
                            <div>Cheers from AppSecEU in Dublin.</div>
                            <div><br>
                              Jim Manico</div>
                            <div><br>
                              On Jun 9, 2011, at 17:12, Thomas Ptacek
                              <<a href="mailto:thomas@matasano.com">thomas@matasano.com</a>>
                              wrote:<br>
                              <br>
                            </div>
                            <blockquote>
                              <div>
                                <div><a href="http://codahale.com/how-to-safely-store-a-password/" target="_blank">http://codahale.com/how-to-safely-store-a-password/</a></div>
                                <div><br>
                                </div>
                                <div>Just read this article and do
                                  exactly what it says.</div>
                                <div><br>
                                </div>
                                <div>
                                  <div>On Jun 8, 2011, at 6:34 PM,
                                    Vikneswaran Kunasegaran wrote:</div>
                                  <br class="ecxApple-interchange-newline">
                                  <blockquote>
                                    <div style="font-family: Tahoma; font-size: 10pt;" class="ecxhmmessage">Hi Gautham..<br>
                                       <br>
                                      So in your email below are you
                                      stating that without encryption,
                                      salting and hashing alone would be
                                      secured and difficult to crack
                                      by unauthorised people? I was just
                                      thinking too much on how to make
                                      my databse secure maybe thats
                                      why I got into this. Sorry though
                                      hehe. So, in your opinion, what
                                      would be your advise if I wanted
                                      to salt this password for a 1000
                                      times and then hash it as this was
                                      a comment from another person who
                                      replied my email. Is it okay or
                                      the suggestion you made is secured
                                      enough. Kindly awaiting your reply
                                      on this. And thank you very much
                                      for replying me Mr Gautham. Really
                                      appreciate it.<span class="ecxApple-converted-space"> </span><br>
                                       <br>
                                      Have a nice day.<span class="ecxApple-converted-space"> </span><br>
                                       <br>
                                      <hr id="ecxstopSpelling">Date: Tue, 7
                                      Jun 2011 16:15:30 -0700<br>
                                      Subject: Re: Password Manager with
                                      Fingerprint Verification<br>
                                      From:<span class="ecxApple-converted-space"> </span><a href="mailto:itsecanalyst@gmail.com">itsecanalyst@gmail.com</a><br>
                                      To:<span class="ecxApple-converted-space"> </span><a href="mailto:rmc_0306@hotmail.com">rmc_0306@hotmail.com</a><br>
                                      CC:<span class="ecxApple-converted-space"> </span><a href="mailto:security-basics@securityfocus.com">security-basics@securityfocus.com</a>;<span class="ecxApple-converted-space"> </span><a href="mailto:websecurity@webappsec.org">websecurity@webappsec.org</a><br>
                                      <br>
                                      I am still trying to get my
                                      understanding clear here. why
                                      would you want to (salted+hash)
                                      and then encrypt it. Is just
                                      getting a hash not enough, you can
                                      do salted+sha256 and you should be
                                      good.<br>
                                      <br>
                                      <span><span style="background-color: rgb(255, 255, 102);"></span></span>if
                                      you want a clear text password,
                                      then you might want to encrypt it,
                                      however it all depends what is the
                                      final use of these credentials.
                                      There are more controls that you
                                      would need to get in place if you
                                      want to encrypt-decrypt and then
                                      key management is a big issue that
                                      you need to think.<br>
                                      <br>
                                      G<br>
                                      <br>
                                      <div class="ecxgmail_quote">On
                                        Tue, May 31, 2011 at 6:01 PM,<span class="ecxApple-converted-space"> </span><span dir="ltr"><<a href="mailto:rmc_0306@hotmail.com">rmc_0306@hotmail.com</a>></span><span class="ecxApple-converted-space"> </span>wrote:<br>
                                        <blockquote style="padding-left: 1ex;" class="ecxgmail_quote">Hello
                                          Friends.<br>
                                          <br>
                                          Im a final year student for
                                          COmputer Security / Forensic.
                                          Im planning to do a project
                                          which requires me to do
                                          encryption and decryption. My
                                          possible choice of language
                                          would be<span class="ecxApple-converted-space"> </span><a href="http://VB.Net/" target="_blank">VB.Net</a>.
                                          I was wondering if wad is
                                          running in my mind can be
                                          executed. Well, I would make a
                                          application where a part of it
                                          wil be promting the guest to
                                          register and I wanted to store
                                          the password in the database.
                                          I did some research and came
                                          across Salting and Hashing.<span class="ecxApple-converted-space"> </span><span style="background-color: rgb(255, 255, 102);">I was
                                            wondering if is it possible
                                            to get the password which
                                            the user enters, salt it,
                                            hash it and encrypt it
                                            before I store in the
                                            database</span>. If so, what
                                          is the best secured strong
                                          encryption can I use in<span class="ecxApple-converted-space"> </span><a href="http://VB.net/" target="_blank">VB.net</a>.
                                          Because through out the
                                          research I have done, i have
                                          sen RInjdael as the most fav
                                          encryption algo which alot of
                                          programmers using. JUst a
                                          though on this. Kindly advise
                                          me. Thank you for your
                                          generous help and for reading
                                          query.<br>
                                          <br>
------------------------------------------------------------------------<br>
                                          Securing Apache Web Server
                                          with thawte Digital
                                          Certificate<br>
                                          In this guide we examine the
                                          importance of Apache-SSL and
                                          who needs an SSL certificate.
                                           We look at how SSL works, how
                                          it benefits your company and
                                          how your customers can tell if
                                          a site is secure. You will
                                          find out how to test,
                                          purchase, install and use a
                                          thawte Digital Certificate on
                                          your Apache web server.
                                          Throughout, best practices for
                                          set-up are highlighted to help
                                          you ensure efficient ongoing
                                          management of your encryption
                                          keys and digital certificates.<br>
                                          <br>
                                          <a href="http://www.dinclinx.com/Redirect.aspx?36%3b4175%3b25%3b1371%3b0%3b5%3b946%3be13b6be442f727d1" target="_blank">http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1</a><br>
------------------------------------------------------------------------<br>
                                          <br>
                                        </blockquote>
                                      </div>
                                      <br>
_______________________________________________<br>
                                      The Web Security Mailing List<br>
                                      <br>
                                      WebSecurity RSS Feed<br>
                                      <a href="http://www.webappsec.org/rss/websecurity.rss" target="_blank">http://www.webappsec.org/rss/websecurity.rss</a><br>
                                      <br>
                                      Join WASC on LinkedIn<span class="ecxApple-converted-space"> </span><a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
                                      <br>
                                      WASC on Twitter<br>
                                      <a href="http://twitter.com/wascupdates" target="_blank">http://twitter.com/wascupdates</a><br>
                                      <br>
                                      <a href="mailto:websecurity@lists.webappsec.org">websecurity@lists.webappsec.org</a><br>
                                      <a href="http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org" target="_blank">http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org</a><br>
                                    </div>
                                  </blockquote>
                                </div>
                                <br>
                                <div>
                                  <span style="font:/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                                    <div>
                                      <div style="word-wrap: break-word;"><span style="font:/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                                          <div style="word-wrap: break-word;">
                                            <span style="font: 12px/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                                              <div style="word-wrap: break-word;">
                                                <span style="font: 12px/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                                                  <div style="word-wrap: break-word;">
                                                    <br>
                                                    ---</div>
                                                  <div>Thomas Ptacek //
                                                    matasano security //
                                                    founder, product
                                                    manager</div>
                                                  <div>reach me direct:
                                                    888-677-0666 x7805</div>
                                                  <div><br>
                                                  </div>
                                                </span></div>
                                            </span>"The truth will set
                                            you free. But not until it
                                            is finished with you."</div>
                                        </span><br class="ecxApple-interchange-newline">
                                      </div>
                                      <br class="ecxApple-interchange-newline">
                                    </div>
                                  </span><br class="ecxApple-interchange-newline">
                                </div>
                                <br>
                              </div>
                            </blockquote>
                            <blockquote>
                              <div><span>_______________________________________________</span><br>
                                <span>The Web Security Mailing List</span><br>
                                <span></span><br>
                                <span>WebSecurity RSS Feed</span><br>
                                <span><a href="http://www.webappsec.org/rss/websecurity.rss" target="_blank">http://www.webappsec.org/rss/websecurity.rss</a></span><br>
                                <span></span><br>
                                <span>Join WASC on LinkedIn <a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a></span><br>
                                <span></span><br>
                                <span>WASC on Twitter</span><br>
                                <span><a href="http://twitter.com/wascupdates" target="_blank">http://twitter.com/wascupdates</a></span><br>
                                <span></span><br>
                                <span><a href="mailto:websecurity@lists.webappsec.org">websecurity@lists.webappsec.org</a></span><br>
                                <span><a href="http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org" target="_blank">http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org</a></span><br>
                              </div>
                            </blockquote>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                      <div>
                        <span style="font:/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                          <div>
                            <div style="word-wrap: break-word;"><span style="font:/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                                <div style="word-wrap: break-word;">
                                  <span style="font: 12px/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                                    <div style="word-wrap: break-word;">
                                      <span style="font: 12px/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                                        <div style="word-wrap: break-word;">
                                          <br>
                                          ---</div>
                                        <div>Thomas Ptacek // matasano
                                          security // founder, product
                                          manager</div>
                                        <div>reach me direct:
                                          888-677-0666 x7805</div>
                                        <div><br>
                                        </div>
                                      </span></div>
                                  </span>"The truth will set you free.
                                  But not until it is finished with
                                  you."</div>
                              </span><br class="ecxApple-interchange-newline">
                            </div>
                            <br class="ecxApple-interchange-newline">
                          </div>
                        </span><br class="ecxApple-interchange-newline">
                      </div>
                      <br>
                    </div>
                  </div>
                </blockquote>
              </div>
            </blockquote>
          </div>
          <br>
          <div>
            <span style="font:/normal Helvetica; color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
              <div>
                <div style="word-wrap: break-word;"><span style="font:/normal Helvetica; color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                    <div style="word-wrap: break-word;"><span style="font: 12px/normal Helvetica; color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                        <div style="word-wrap: break-word;"><span style="font: 12px/normal Helvetica; color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span">
                            <div style="word-wrap: break-word;">
                              <div><br>
                                ---</div>
                              <div>Thomas Ptacek // matasano security //
                                founder, product manager</div>
                              <div>reach me direct: 888-677-0666 x7805</div>
                              <div><br>
                              </div>
                            </div>
                          </span></div>
                      </span>"The truth will set you free. But not until
                      it is finished with you."</div>
                  </span><br class="ecxApple-interchange-newline">
                </div>
                <br class="ecxApple-interchange-newline">
              </div>
            </span><br class="ecxApple-interchange-newline">
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br></div>                                        </div></body>
</html>