Category: Security


Now add some pepper to your password

October 6th, 2007 — 10:03 am


I previously wrote a post on password security based on Jeff Atwood’s post explaining “Rainbow tables”.
As it turns out, Jeff received a feedback from cryptographer Thomas Ptacek pointing out some corrections to the strategy offered in the original post.

The most important idea was using a cryptographically secure hash, meaning hash which expansive in processor time, unlike the common MD5.
One alternative is the Bcrypt algorithm, which has a C# implementation from Derek Slager.

(thanks to Kansir for the photo)

Comment » | Security

I would like some salt with that password, please

September 13th, 2007 — 02:22 pm

Jeff Atwood wrote an interesting post on using “Rainbow tables“, which are pre-calculated hashes of a range of possible string to brute-force crack a password database.

One of the better methods for stopping someone who has your encrypted password from deducing the unencrypted version is “salting” your passwords before storing them, meaning you concatenate your password string with a long constant string before encoding it, thus making a brute force attack impossible. (unless someone manages to get your server’s code)

For example, you can add the string “FarBetterEncryptedPasswordWithThisAttachedToIt” to every 6-characters password before encrypting, forcing the hacker to compute all possible combinations for 52 characters string instead of possible combination for a 6 characters string.
While using rainbow tables would allow cracking of a 6 characters password in minutes, cracking a 52 characters long password would take years, and would require huge amounts of ram.

Comment » | Security

Security guidelines from Microsoft

May 30th, 2007 — 02:36 pm

Worried about SQL injections, user spoofing and other hacking methods?
Worry no more - here you can find various security checklists from the P&P team.

Comment » | Architecture, Design, SQL Server, Security

Running Internet explorer in a secured account

April 21st, 2007 — 01:05 pm

We all know the security pitfalls that exist in Windows XP’s default configuration.
One solution which is widely recommended is to set a new account which is not the default administrator account, and use it for day to day activities.
As a developer I like the freedom I get from administrator privileges, and I don’t want to sacrifice comfort for security.

However, surfing the web may still expose me to dangers, so I decided to set up a limited account for IE.

First I created a new user under the “users” group.
After I created a new shortcut for IE, I went into “properties” and modified the “target” text box:
C:\WINDOWS\system32\runas.exe /user:NewUser /savecred “C:\Program Files\Internet Explorer\IEXPLORE.EXE”

The only downside of this is that you lose all existing configuration data for IE.
And I can still run IE in my admin account whenever I like to.

Comment » | Security, Windows