|
Hi all ,
As you know , when implementing salted hash technique , we go through the following steps:
1)Generate a random salt using classes in Cryptography namespace.
2)Get Password
3)combine password and salt and hash it
4)Storing the salt in a field called SALT.
5)Storing the hashed value in a field Called Password
Also we have a field called Username.
When Authenticating , we follow these steps:
1)Get Username
2)Get Password
3)Combine entered password with salt in database
4)Hash it and then compare it to Password
5)If both matches , the user is valid.
My question is that is it possible to Store salt inside password field instead of creating a seperate field for salt?So if attcker breaks into DB , he cannot extract the salt value and will not know what salt is.
And another question is that is it a good idea to also Salt-Hash username?If yes , how do you implement this?
Note that I use a uniqe salt for each password.
Thanks in advance.
modified on Thursday, September 18, 2008 12:49 PM
|
|
|
|
|
DotNetWWW wrote: that is it possible to Store salt inside password field instead of creating a seperate field for salt?
Yes. That's a good method. Steps could be,
1 - Generate random salt
2 - Append salt with the plain text and calculate hash
3 - Append salt bytes with the hashed bytes and return base64 string.
For verifying you can follow,
1 - Get the hash bytes from base64 string.
2 - Extract original salt from the byte array. Usually hash algorithm will have a predefined hash size. MD5 uses 128 bit hashing.
3 - Calculate hash again with the plain text and extracted salt.
4 - Verify the newly created hash and the original one.
DotNetWWW wrote: is that is it a good idea to also Salt-Hash username
I think it is not necessary.
|
|
|
|
|
N a v a n e e t h wrote: DotNetWWW wrote:
is that is it a good idea to also Salt-Hash username
I think it is not necessary.
I agree. No real point in doing that, unless he wants to make the username unreadable and that may backfire on him.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
"Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon
"Not only do you continue to babble nonsense, you can't even correctly remember the nonsense you babbled just minutes ago." - Rob Graham
|
|
|
|
|
Thanks for your answers.
Isn't is useful to salt-hash username?In that case attacker can not understand which record corresponds to which user. Doesn't it make the job harder for attacker?
Another point is that we implement all algorithms for hashing and also combining password and salt in code , as you know , .Net code is easily decompiled and in case of using a protector like XenoCode , It is still possible to access program code , so If attacker can read code , he will understand everything about algorithm and the way we combine password and salt , what is your suggestion?
|
|
|
|
|
DotNetWWW wrote: so If attacker can read code , he will understand everything about algorithm and the way we combine password and salt , what is your suggestion?
Attacker can read the algorithm, but since you are using random salt, it is tough hack into some account. But if he is getting the code, chance for attacking is high. You could change the design probably.
|
|
|
|
|
DotNetWWW wrote: is it a good idea to also Salt-Hash username?
Not really because a one way hash will make it difficult to retrieve a lost username. If a hacker gets into your database and sees the usernames, they really don't help him/her at all when the passwords are hashed.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
"Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon
"Not only do you continue to babble nonsense, you can't even correctly remember the nonsense you babbled just minutes ago." - Rob Graham
|
|
|
|
|
DotNetWWW wrote: My question is that is it possible to Store salt inside password field instead of creating a seperate field for salt?So if attcker breaks into DB , he cannot extract the salt value and will not know what salt is.
No. You need to get the salt value when you verify a password that the user enters.
You could scramble the salt in some way to make it harder to use, but that is just security by obfuscation so it doesn't add any real strength to the security.
DotNetWWW wrote: And another question is that is it a good idea to also Salt-Hash username?
No. What would be the point of protecting the user names? They can be seen in plain text on the screen when a user types it in...
Generally user names are not encrypted, as they are so easy to guess or intercept anyway.
Despite everything, the person most likely to be fooling you next is yourself.
|
|
|
|
|
What's going on here then?
public struct Bobbins
{
public int X;
}
class Program
{
static void Main(string[] args)
{
Bobbins[] memory = new Bobbins[100000000];
for (int index = 0; index < memory.Length; index++)
{
memory[index] = new Bobbins();
}
Console.ReadLine();
}
}
So here I create an array containing 100 million bobbins structs. I know the for loop isn't necessary but it will be in a minute. 700ms later the program is waiting for me to hit enter and task manager tells me its taking up 400 million bytes of memory. This is good; I like this. My struct contains just an integer of 4 bytes, there's 100 million of them so it all adds up.
Now, if I change bobbins from a struct to a class, I'd expect the memory to double. My class should still be 4 bytes in length and my array now contains 4 byte references to the class (instance). 8 bytes per array element. Infact, 16 seconds after running the application My memory usage is 1.6GB, a total of 16 bytes per element.
Don't get it. Is there some overhead in size on classes?
Regards,
Rob Philpott.
|
|
|
|
|
I guess I should have read your entire post!
Rob Philpott wrote: Is there some overhead in size on classes?
There's definitely overhead for each object.
Mark Salsbery
Microsoft MVP - Visual C++
|
|
|
|
|
|
Ah, there it is in black and white. Perfect.
Thanks Alan.
Regards,
Rob Philpott.
|
|
|
|
|
I have written an application that will record values to MSAccess.
while it runs good, I am trying to find a better way to make it easier for the user.
I created a config file that is read by the "DataLogger" that contains the information for the column name and the data to enter into the column. the problem with doing it this way is that if the column doesnt exist, the logger can choke.
the user interface contains 2 different listboxes. the first listbox contains the fields for the columns and the second contains the data to go into the columns.
my first objective is to try to connect directly to the datatable and populate the listbox with the fields for the datatable.
is there another way that someone might suggest to make this easier? I am using a configuration file because that could be dumped over the network to multiple machines to use.
Im not real experienced in this to be gentle.
|
|
|
|
|
Can any one Help
I am trying Compare the two database tables(table1,Table2) and update the difference into (table2) using c#.
I have Compared two tables and got the difference value.
How to update the difference value into table2 particular row?
Student.aspx
*************
In aspx page I have added the three Gridview
Student.aspx.cs
********************
using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;
public partial class Student : System.Web.UI.Page
{
Comapre objComapre = new Comapre();
protected void Page_Load(object sender, EventArgs e)
{
DataTable First=new DataTable();
DataTable Second = new DataTable();
DataTable Compare = new DataTable();
First = objComapre.GetStudentTableOne();
Second = objComapre.GetStudentTableTwo();
Compare=compareDataTables(First, Second);
GridView1.DataSource = First;
GridView1.DataBind();
GridView2.DataSource = Second;
GridView2.DataBind();
GridView3.DataSource = Compare;
GridView3.DataBind();
}
public DataTable compareDataTables(DataTable First, DataTable Second)
{
First.TableName = "FirstTable";
Second.TableName = "SecondTable";
DataTable table = new DataTable("Difference");
try
{
using (DataSet ds = new DataSet())
{
ds.Tables.AddRange(new DataTable[] { First.Copy(), Second.Copy() });
DataColumn[] firstcolumns = new DataColumn[ds.Tables[0].Columns.Count];
for (int i = 0; i < firstcolumns.Length; i++)
{
firstcolumns[i] = ds.Tables[0].Columns[i];
}
DataColumn[] secondcolumns = new DataColumn[ds.Tables[1].Columns.Count];
for (int i = 0; i < secondcolumns.Length; i++)
{
secondcolumns[i] = ds.Tables[1].Columns[i];
}
DataRelation r = new DataRelation(string.Empty, firstcolumns, secondcolumns, false);
ds.Relations.Add(r);
for (int i = 0; i < First.Columns.Count; i++)
{
table.Columns.Add(First.Columns[i].ColumnName, First.Columns[i].DataType);
}
table.BeginLoadData();
foreach (DataRow parentrow in ds.Tables[0].Rows)
{
DataRow[] childrows = parentrow.GetChildRows(r);
if (childrows == null || childrows.Length == 0)
table.LoadDataRow(parentrow.ItemArray, true);
}
table.EndLoadData();
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return table;
}
}
Comapre.cs
***********
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;
public class Comapre
{
string strConnection = ConfigurationManager.ConnectionStrings["MystudentConnString"].ConnectionString.ToString().Trim();
DataTable dsGetStudentOne = new DataTable();
DataTable dsGetStudentTwo = new DataTable();
public DataTable GetStudentTableOne()
{
try
{
string GetConnection = strConnection;
SqlConnection strConnectionString = new SqlConnection();
strConnectionString.ConnectionString = GetConnection;
strConnectionString.Open();
SqlCommand cmdsearch = new SqlCommand("SP_GetStudent_1", strConnectionString);
cmdsearch.CommandType = CommandType.StoredProcedure;
SqlDataAdapter daAdapter = new SqlDataAdapter(cmdsearch);
daAdapter.Fill(dsGetStudentOne);
strConnectionString.Close();
}
catch
{
}
return dsGetStudentOne;
}
public DataTable GetStudentTableTwo()
{
try
{
string GetConnection = strConnection;
SqlConnection strConnectionString = new SqlConnection();
strConnectionString.ConnectionString = GetConnection;
strConnectionString.Open();
SqlCommand cmdsearch = new SqlCommand("SP_GetStudent_2", strConnectionString);
cmdsearch.CommandType = CommandType.StoredProcedure;
SqlDataAdapter daAdapter = new SqlDataAdapter(cmdsearch);
daAdapter.Fill(dsGetStudentTwo);
strConnectionString.Close();
}
catch
{
}
return dsGetStudentTwo;
}
}
Web.config file
********************
connectionStrings>
add name="MystudentConnString" connectionString="Data Source=Poweredge;User Id=sa;password=sa;Initial Catalog=MyStudent;" providerName="System.Data.SqlClient"/>
/connectionStrings>
Database
Table1
*******
USE [MyStudent]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TABLE [dbo].[Student_1](
[Stname] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
[Age] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
[DateofBirth] [nvarchar](max) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
[School] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
[College] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NULL
) ON [PRIMARY]
Table2
*******
USE [MyStudent]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TABLE [dbo].[Student_2](
[Stname] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL,
[Age] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
[DateofBirth] [nvarchar](max) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
[School] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
[College] [nvarchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NULL
) ON [PRIMARY]
Storeprocedure
SP_GetStudent_1
***************
USE [MyStudent]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE procedure [dbo].[SP_GetStudent_1]
as
begin
select * from Student_1
end
SP_GetStudent_2
***************
USE [MyStudent]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE procedure [dbo].[SP_GetStudent_2]
as
begin
select * from Student_2
end
Thanks.
|
|
|
|
|
Im using C# with vs 2002 to create a plugin for an industrial robot. because there is no mouse or touchscreen and usually the user doesnt know that they can use the tab key, how do i switch between controls programmatically using the buttons on the form? I have tried the following
private void Tabstop(object sender, IncrementEventArgs args)
{
if (args.Plus)
{
this.TabIndex = this.TabIndex + 1;
}
else
{
this.TabIndex = this.TabIndex - 1;
}
}
this isnt doing anything for me though.
|
|
|
|
|
Hi,
Your code is just changing the tab order of the calling control. You need to use this method
public Control GetNextControl (
Control ctl,
bool forward
)
which returns the next control in the tab order. I've never used it myself but I assume that once you have a reference to the control you would then set focus to that control.
Alan.
|
|
|
|
|
Hello,
Where can I read about the best practices for programming in C# to be compatible with both 32-bit and 64-bit platforms?
I am relatively new to C#, so I was wondering whether it's possible to write a program that would be compatible on both 32-bit and 64-bit platforms. For example, if I use IntPtr, casting it to int (or long), adding IntPtr.Size and casting back to IntPtr, how do I do it to be compatible with both 32-bit and 64-bit platforms?
I would be thankful for any helpful resources about best practices.
Thank you.
|
|
|
|
|
|
i draw a picture box and in it i place a picture..
i want that when i want to increase the size of the picture with picture.
as long as picture box 's size is increased , picture should also be increase with it.
hghghgh
|
|
|
|
|
use PictureBox.SizeMode property
hope it helps
dhaim
programming is a hobby that make some money as side effect
|
|
|
|
|
been there
see windows genereted code has the required proprieties!!!
i have a picture box and i load small and big pictures, when they are small i center them, when they are big i place a scroll.
you want that right?
place picturebox inside a panel and allow scroll, now because i don´t remember the code (don´t worry it´s simply) check like i said windows genereted code and the proprieties windows.
make them same size(panel and picture), when get picture ask the size that way you know if is small you center if bigger you scroll.
(place other post if you became stuck, i don´t have code memorized in my head)
nelsonpaixao@yahoo.com.br
trying to help & get help
|
|
|
|
|
i made a textbox and a combo box(combo box contain all available font sizes) ..
now i want that when user enters the data in it..
he can also increase the size of the written text in textbox by selecting the size from the combo box....
hghghgh
|
|
|
|
|
Try this.,
textBox1.Font = new Font(textBox1.Font.Name,
float.Parse(cboFontSizes.Items[cboFontSizes.SelectedIndex].ToString()));
Handle the above statement in SelectedIndexChanged event of cboFontSizes
where textBox1 is the TextBox used and
cboFontSizes is the ComboBox having TextSizes;
|
|
|
|
|
i am not sure about the terminoly but it would be great if anyone could just point me to the correct term for the technique so I can research it. It's when partially displaying a set of information coming from an sql query in a c# application. A next (and preferably also a back) button is provided to navigate say every batch of 20 items. Also, doing this, which is best for the technique, to query everything from sql and have it cached within the application and next just fetches from this 'collection' OR actually caching in the sql server, if it is at all possible. if the former, i think its disadvantage is the application would require large amount of ram for a large result set. for the latter, this means an sql command is sent to the server to fetch the next batch of the result set, while not really sending another select statement or using a where clause. i hope i am making sense as i'm only really guessing here what i think is happening.
thanks for any reply!
----------------------------------------------------------
"unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep" - my daily unix command list
|
|
|
|
|
|
i found somewhere of sql statement like LIMIT in MySQL that compatible with sql2000
SELECT TOP(@LIMIT) * FROM TABLE WHERE KEY NOT IN (SELECT TOP(@OFFSET) KEY FROM TABLE)
just fill LIMIT and OFFSET parameter for paging
hope it helps
dhaim
programming is a hobby that make some money as side effect
modified on Thursday, September 18, 2008 11:11 AM
|
|
|
|