Re: [WEB SECURITY] Password Manager with Fingerprint Verification
I am still trying to get my understanding clear here. why would you want to
(salted+hash) and then encrypt it. Is just getting a hash not enough, you
can do salted+sha256 and you should be good.
if you want a clear text password, then you might want to encrypt it,
however it all depends what is the final use of these credentials. There are
more controls that you would need to get in place if you want to
encrypt-decrypt and then key management is a big issue that you need to
think.
G
On Tue, May 31, 2011 at 6:01 PM, rmc_0306@hotmail.com wrote:
Hello Friends.
Im a final year student for COmputer Security / Forensic. Im planning to do
a project which requires me to do encryption and decryption. My possible
choice of language would be VB.Net. I was wondering if wad is running in my
mind can be executed. Well, I would make a application where a part of it
wil be promting the guest to register and I wanted to store the password in
the database. I did some research and came across Salting and Hashing. I
was wondering if is it possible to get the password which the user enters,
salt it, hash it and encrypt it before I store in the database. If so,
what is the best secured strong encryption can I use in VB.net. Because
through out the research I have done, i have sen RInjdael as the most fav
encryption algo which alot of programmers using. JUst a though on this.
Kindly advise me. Thank you for your generous help and for reading query.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
In addition to salting and hashing, I would also recommend that you iterate
the hash a few thousand times or more in addition to isolating the salt away
from the hash in some way.
Jim Manico
On Jun 7, 2011, at 8:48 PM, Gautam itsecanalyst@gmail.com wrote:
I am still trying to get my understanding clear here. why would you want to
(salted+hash) and then encrypt it. Is just getting a hash not enough, you
can do salted+sha256 and you should be good.
if you want a clear text password, then you might want to encrypt it,
however it all depends what is the final use of these credentials. There are
more controls that you would need to get in place if you want to
encrypt-decrypt and then key management is a big issue that you need to
think.
G
On Tue, May 31, 2011 at 6:01 PM, rmc_0306@hotmail.com wrote:
Hello Friends.
Im a final year student for COmputer Security / Forensic. Im planning to do
a project which requires me to do encryption and decryption. My possible
choice of language would be VB.Net. I was wondering if wad is running in
my mind can be executed. Well, I would make a application where a part of it
wil be promting the guest to register and I wanted to store the password in
the database. I did some research and came across Salting and Hashing. I
was wondering if is it possible to get the password which the user enters,
salt it, hash it and encrypt it before I store in the database. If so,
what is the best secured strong encryption can I use in VB.net. Because
through out the research I have done, i have sen RInjdael as the most fav
encryption algo which alot of programmers using. JUst a though on this.
Kindly advise me. Thank you for your generous help and for reading query.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Gautham..
So in your email below are you stating that without encryption, salting and hashing alone would be secured and difficult to crack by unauthorised people? I was just thinking too much on how to make my databse secure maybe thats why I got into this. Sorry though hehe. So, in your opinion, what would be your advise if I wanted to salt this password for a 1000 times and then hash it as this was a comment from another person who replied my email. Is it okay or the suggestion you made is secured enough. Kindly awaiting your reply on this. And thank you very much for replying me Mr Gautham. Really appreciate it.
Have a nice day.
Date: Tue, 7 Jun 2011 16:15:30 -0700
Subject: Re: Password Manager with Fingerprint Verification
From: itsecanalyst@gmail.com
To: rmc_0306@hotmail.com
CC: security-basics@securityfocus.com; websecurity@webappsec.org
I am still trying to get my understanding clear here. why would you want to (salted+hash) and then encrypt it. Is just getting a hash not enough, you can do salted+sha256 and you should be good.
if you want a clear text password, then you might want to encrypt it, however it all depends what is the final use of these credentials. There are more controls that you would need to get in place if you want to encrypt-decrypt and then key management is a big issue that you need to think.
G
On Tue, May 31, 2011 at 6:01 PM, rmc_0306@hotmail.com wrote:
Hello Friends.
Im a final year student for COmputer Security / Forensic. Im planning to do a project which requires me to do encryption and decryption. My possible choice of language would be VB.Net. I was wondering if wad is running in my mind can be executed. Well, I would make a application where a part of it wil be promting the guest to register and I wanted to store the password in the database. I did some research and came across Salting and Hashing. I was wondering if is it possible to get the password which the user enters, salt it, hash it and encrypt it before I store in the database. If so, what is the best secured strong encryption can I use in VB.net. Because through out the research I have done, i have sen RInjdael as the most fav encryption algo which alot of programmers using. JUst a though on this. Kindly advise me. Thank you for your generous help and for reading query.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
http://codahale.com/how-to-safely-store-a-password/
Just read this article and do exactly what it says.
On Jun 8, 2011, at 6:34 PM, Vikneswaran Kunasegaran wrote:
Hi Gautham..
So in your email below are you stating that without encryption, salting and hashing alone would be secured and difficult to crack by unauthorised people? I was just thinking too much on how to make my databse secure maybe thats why I got into this. Sorry though hehe. So, in your opinion, what would be your advise if I wanted to salt this password for a 1000 times and then hash it as this was a comment from another person who replied my email. Is it okay or the suggestion you made is secured enough. Kindly awaiting your reply on this. And thank you very much for replying me Mr Gautham. Really appreciate it.
Have a nice day.
Date: Tue, 7 Jun 2011 16:15:30 -0700
Subject: Re: Password Manager with Fingerprint Verification
From: itsecanalyst@gmail.com
To: rmc_0306@hotmail.com
CC: security-basics@securityfocus.com; websecurity@webappsec.org
I am still trying to get my understanding clear here. why would you want to (salted+hash) and then encrypt it. Is just getting a hash not enough, you can do salted+sha256 and you should be good.
if you want a clear text password, then you might want to encrypt it, however it all depends what is the final use of these credentials. There are more controls that you would need to get in place if you want to encrypt-decrypt and then key management is a big issue that you need to think.
G
On Tue, May 31, 2011 at 6:01 PM, rmc_0306@hotmail.com wrote:
Hello Friends.
Im a final year student for COmputer Security / Forensic. Im planning to do a project which requires me to do encryption and decryption. My possible choice of language would be VB.Net. I was wondering if wad is running in my mind can be executed. Well, I would make a application where a part of it wil be promting the guest to register and I wanted to store the password in the database. I did some research and came across Salting and Hashing. I was wondering if is it possible to get the password which the user enters, salt it, hash it and encrypt it before I store in the database. If so, what is the best secured strong encryption can I use in VB.net. Because through out the research I have done, i have sen RInjdael as the most fav encryption algo which alot of programmers using. JUst a though on this. Kindly advise me. Thank you for your generous help and for reading query.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thomas Ptacek // matasano security // founder, product manager
reach me direct: 888-677-0666 x7805
"The truth will set you free. But not until it is finished with you."
Not everyone had access to bcrypt. Iterating the hash thousands of times
mitigates the concern in the paper below. This hash iteration count is
basically the same thing as bcrypts work factor and just like using bcrypt
this work factor will need to be increased over time.
Hash iteration count was recommended to be 1000 in the year 2000 and should
be doubled every three years to be in line with bcrypts work factor
recommendations.
Cheers from AppSecEU in Dublin.
Jim Manico
On Jun 9, 2011, at 17:12, Thomas Ptacek thomas@matasano.com wrote:
http://codahale.com/how-to-safely-store-a-password/
Just read this article and do exactly what it says.
On Jun 8, 2011, at 6:34 PM, Vikneswaran Kunasegaran wrote:
Hi Gautham..
So in your email below are you stating that without encryption, salting and
hashing alone would be secured and difficult to crack by unauthorised
people? I was just thinking too much on how to make my databse secure maybe
thats why I got into this. Sorry though hehe. So, in your opinion, what
would be your advise if I wanted to salt this password for a 1000 times and
then hash it as this was a comment from another person who replied my email.
Is it okay or the suggestion you made is secured enough. Kindly awaiting
your reply on this. And thank you very much for replying me Mr Gautham.
Really appreciate it.
Have a nice day.
Date: Tue, 7 Jun 2011 16:15:30 -0700
Subject: Re: Password Manager with Fingerprint Verification
From: itsecanalyst@gmail.com
To: rmc_0306@hotmail.com
CC: security-basics@securityfocus.com; websecurity@webappsec.org
I am still trying to get my understanding clear here. why would you want to
(salted+hash) and then encrypt it. Is just getting a hash not enough, you
can do salted+sha256 and you should be good.
if you want a clear text password, then you might want to encrypt it,
however it all depends what is the final use of these credentials. There are
more controls that you would need to get in place if you want to
encrypt-decrypt and then key management is a big issue that you need to
think.
G
On Tue, May 31, 2011 at 6:01 PM, rmc_0306@hotmail.com wrote:
Hello Friends.
Im a final year student for COmputer Security / Forensic. Im planning to do
a project which requires me to do encryption and decryption. My possible
choice of language would be VB.Net. I was wondering if wad is running in my
mind can be executed. Well, I would make a application where a part of it
wil be promting the guest to register and I wanted to store the password in
the database. I did some research and came across Salting and Hashing. I was
wondering if is it possible to get the password which the user enters, salt
it, hash it and encrypt it before I store in the database. If so, what is
the best secured strong encryption can I use in VB.net. Because through out
the research I have done, i have sen RInjdael as the most fav encryption
algo which alot of programmers using. JUst a though on this. Kindly advise
me. Thank you for your generous help and for reading query.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thomas Ptacek // matasano security // founder, product manager
reach me direct: 888-677-0666 x7805
"The truth will set you free. But not until it is finished with you."
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thomas: Thanks for that Link, It was a good read and a good info. I agree
still need to read more on this to get comfortable.
Vikneshwaran: In my view for passwords you should salt it and hash it, now
the question on how many times you want to call this function
'hash(salt+hash(salt+hash(salt+plain text))', it will depend on the
library/technology you are using and if anything like that would work. There
are many factors to this,
- Each time you have a hash function there are some CPU cycle you will
use. Is it worth for that - Can you afford to keep your user waiting "We are checking your
credentials" for 5 seconds :-) - Are you going to have same salt or different salt for every iteration
- Where are you storing these salts. (In my view they should be in a
separate table and always different for every user)
In plain vanilla application i would say SHA128(salt+plain_text) should be
enough, if you want more think about layered security and not just
passwords.
I am not a guru on this and, however I am sure this is what anyone should
do. Folks here 'MustLive' (i like this guy) and others can comment/correct
me.
Reference:
I like some cool tools that Steve Gibson provide for research and analysis,
try this one "https://www.grc.com/haystack.htm" or search his website for
more reference.
There is also a good read on hashing i read sometime back->
http://www.zyxist.com/en/archives/111.
Hope all this helps.
Gautam
On Thu, Jun 9, 2011 at 8:51 AM, Thomas Ptacek thomas@matasano.com wrote:
http://codahale.com/how-to-safely-store-a-password/
Just read this article and do exactly what it says.
On Jun 8, 2011, at 6:34 PM, Vikneswaran Kunasegaran wrote:
Hi Gautham..
So in your email below are you stating that without encryption, salting and
hashing alone would be secured and difficult to crack by unauthorised
people? I was just thinking too much on how to make my databse secure maybe
thats why I got into this. Sorry though hehe. So, in your opinion, what
would be your advise if I wanted to salt this password for a 1000 times and
then hash it as this was a comment from another person who replied my email.
Is it okay or the suggestion you made is secured enough. Kindly awaiting
your reply on this. And thank you very much for replying me Mr Gautham.
Really appreciate it.
Have a nice day.
Date: Tue, 7 Jun 2011 16:15:30 -0700
Subject: Re: Password Manager with Fingerprint Verification
From: itsecanalyst@gmail.com
To: rmc_0306@hotmail.com
CC: security-basics@securityfocus.com; websecurity@webappsec.org
I am still trying to get my understanding clear here. why would you want to
(salted+hash) and then encrypt it. Is just getting a hash not enough, you
can do salted+sha256 and you should be good.
if you want a clear text password, then you might want to encrypt it,
however it all depends what is the final use of these credentials. There are
more controls that you would need to get in place if you want to
encrypt-decrypt and then key management is a big issue that you need to
think.
G
On Tue, May 31, 2011 at 6:01 PM, rmc_0306@hotmail.com wrote:
Hello Friends.
Im a final year student for COmputer Security / Forensic. Im planning to do
a project which requires me to do encryption and decryption. My possible
choice of language would be VB.Net. I was wondering if wad is running in
my mind can be executed. Well, I would make a application where a part of it
wil be promting the guest to register and I wanted to store the password in
the database. I did some research and came across Salting and Hashing. I
was wondering if is it possible to get the password which the user enters,
salt it, hash it and encrypt it before I store in the database. If so,
what is the best secured strong encryption can I use in VB.net. Because
through out the research I have done, i have sen RInjdael as the most fav
encryption algo which alot of programmers using. JUst a though on this.
Kindly advise me. Thank you for your generous help and for reading query.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thomas Ptacek // matasano security // founder, product manager
reach me direct: 888-677-0666 x7805
"The truth will set you free. But not until it is finished with you."
Hi Gautham
Yes, thank you for your references and website. Now I am clear on what to do with the password. Now I want to move on to the database which I will use to store both the user name and password. My big question is, is it possible to hash the database itself or to secure the database, should I encrypt it with no other option. Or is there any method which is simple but yet secured to secure the database. Kindly awaiting for your reply. Thank you for discussing this project of mine. It really strikes alot of ideas in my mind now. Thanks alot to Thomas and Jim too. Thank you alot.
Have a nice day.
Date: Thu, 9 Jun 2011 12:06:59 -0700
Subject: Re: [WEB SECURITY] FW: Password Manager with Fingerprint Verification
From: itsecanalyst@gmail.com
To: thomas@matasano.com; rmc_0306@hotmail.com
CC: websecurity@webappsec.org
Thomas: Thanks for that Link, It was a good read and a good info. I agree still need to read more on this to get comfortable.
Vikneshwaran: In my view for passwords you should salt it and hash it, now the question on how many times you want to call this function 'hash(salt+hash(salt+hash(salt+plain text))', it will depend on the library/technology you are using and if anything like that would work. There are many factors to this,
Each time you have a hash function there are some CPU cycle you will use. Is it worth for that
Can you afford to keep your user waiting "We are checking your credentials" for 5 seconds :-)
Are you going to have same salt or different salt for every iteration
Where are you storing these salts. (In my view they should be in a separate table and always different for every user)
In plain vanilla application i would say SHA128(salt+plain_text) should be enough, if you want more think about layered security and not just passwords.
I am not a guru on this and, however I am sure this is what anyone should do. Folks here 'MustLive' (i like this guy) and others can comment/correct me.
Reference:
I like some cool tools that Steve Gibson provide for research and analysis, try this one "https://www.grc.com/haystack.htm" or search his website for more reference.
There is also a good read on hashing i read sometime back-> http://www.zyxist.com/en/archives/111.
Hope all this helps.
Gautam
On Thu, Jun 9, 2011 at 8:51 AM, Thomas Ptacek thomas@matasano.com wrote:
http://codahale.com/how-to-safely-store-a-password/
Just read this article and do exactly what it says.
On Jun 8, 2011, at 6:34 PM, Vikneswaran Kunasegaran wrote:
Hi Gautham..
So in your email below are you stating that without encryption, salting and hashing alone would be secured and difficult to crack by unauthorised people? I was just thinking too much on how to make my databse secure maybe thats why I got into this. Sorry though hehe. So, in your opinion, what would be your advise if I wanted to salt this password for a 1000 times and then hash it as this was a comment from another person who replied my email. Is it okay or the suggestion you made is secured enough. Kindly awaiting your reply on this. And thank you very much for replying me Mr Gautham. Really appreciate it.
Have a nice day.
Date: Tue, 7 Jun 2011 16:15:30 -0700
Subject: Re: Password Manager with Fingerprint Verification
From: itsecanalyst@gmail.com
To: rmc_0306@hotmail.com
CC: security-basics@securityfocus.com; websecurity@webappsec.org
I am still trying to get my understanding clear here. why would you want to (salted+hash) and then encrypt it. Is just getting a hash not enough, you can do salted+sha256 and you should be good.
if you want a clear text password, then you might want to encrypt it, however it all depends what is the final use of these credentials. There are more controls that you would need to get in place if you want to encrypt-decrypt and then key management is a big issue that you need to think.
G
On Tue, May 31, 2011 at 6:01 PM, rmc_0306@hotmail.com wrote:
Hello Friends.
Im a final year student for COmputer Security / Forensic. Im planning to do a project which requires me to do encryption and decryption. My possible choice of language would be VB.Net. I was wondering if wad is running in my mind can be executed. Well, I would make a application where a part of it wil be promting the guest to register and I wanted to store the password in the database. I did some research and came across Salting and Hashing. I was wondering if is it possible to get the password which the user enters, salt it, hash it and encrypt it before I store in the database. If so, what is the best secured strong encryption can I use in VB.net. Because through out the research I have done, i have sen RInjdael as the most fav encryption algo which alot of programmers using. JUst a though on this. Kindly advise me. Thank you for your generous help and for reading query.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thomas Ptacek // matasano security // founder, product manager
reach me direct: 888-677-0666 x7805
"The truth will set you free. But not until it is finished with you."