Re: Best practices for storing/retrieving login credentials

From: Alek Davis (alek_DOT_davis_AT_intel_DOT_com)
Date: 06/30/03 

Date: Mon, 30 Jun 2003 13:40:25 -0700

Yes, but the original question was not about implementing authentication. In
the scenario Roy described, he needs to know how to store a single set of
credentials (username and password) used by all members of his organization
for an FTP session. If I am reading it correctly, there are two problems
here. One, you must make sure that incoming callers are allowed to make FTP
calls. This can be done using password hash-based authentication Steven
described (followed by authorization logic). But the second problem, which -
I think - Roy is interested in is how to protect the common FTP credentials.
You cannot hash the FTP password, because the application needs to provide
it in plain text to the FTP server. The document Roy mentioned (in
particular, section 'Storing Database Connection Strings Securely' in
chapter 12 at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp
or http://tinyurl.com/8pku) addresses a similar problem and offers some
approaches. Unfortunately, none of the suggestions are perfect.

Alek

"Steven Grayson [MSFT]" <sgrayson@online.microsoft.com> wrote in message
news:OfF%23exzPDHA.2316@TK2MSFTNGP11.phx.gbl...
> You should avoid storing encrypted passwords because it raises key
> management issues - you can secure the password with encryption, but you
> then have to consider how to store the encryption key. If the key becomes
> compromised, an attacker can decrypt all the passwords within your data
> store.
>
> The preferred approach is to:
>
> Store a one way hash of the password. Re-compute the hash when the
password
> needs to be validated.
>
> Combine the password hash with a salt value (a cryptographically strong
> random number). By combining the salt with the password hash, you mitigate
> the threat associated with dictionary attacks.
>
> For more information on password storage, see
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
> "Michael Giagnocavo [MVP]" <mggUNSPAM@Atrevido.net> wrote in message
> news:O0ZZgcCPDHA.2256@TK2MSFTNGP11.phx.gbl...
> > You could look into the Data Protection API (DPAPI) or perhaps an LSA
> > Secret.
> > -mike
> > MVP
> >
> > "Roy Gunnarsson" <rgunnarsson__REMOVE__@excelsior.edu> wrote in
> > message news:uwafQA$ODHA.1556@TK2MSFTNGP10.phx.gbl...
> > > Hello all,
> > >
> > > I am planning for an application that will be used to delegate a
> > series of
> > > tasks to clerical staff in my organization. One step involves
> > connecting to
> > > an FTP site for which our organization has a single account. I don't
> > wish to
> > > endow everybody with the login credentials and was wondering what
> > the best
> > > way to store and retrive the encrypted credentials is. I know I
> > could have
> > > people use an FTP client with the login already set up, but I want
> > to make
> > > the process as fool-proof as possible (not to imply that my
> > co-workers are
> > > fools...) and prefer to simply code and automate that part as well.
> > I
> > > already have the FTP functionality coded but obviously don't want to
> > > hardcode the login in plain text. I'm just wondering what's being
> > done in
> > > such circumstances.
> > >
> > > Thanks,
> > >
> > > Roy Gunnarsson
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: MPE FTP transfer into HFS namespace
    ... STORE via the ftp;buildparms setting then please let me have them. ... !COMMENT the store set back onto a target HP3000 into the HFS ... TELLOP!HPJOBNAME found existing STD files in!_STDPATH_. ...
    (comp.sys.hp.mpe)
  • Re: bad code, needs work...
    ... > The problem I am getting is checking to see if one field matches the city, ... The outfile opens can be handled in a loop that will at least prevent ... then store that scalar into a hash, which would be a convenient way to ... Again if you store the output handles to a hash, ...
    (perl.beginners)
  • Re: File transfer
    ... > store A and grab the daily activity files, then dial into store B and do the ... > Daily Close (at the HOST updating database with all the transactions- HOST ... >> If all you need is to poll some data and not get any information back to the POS system you can use an ftp site to host your transfer. ... Conver your transfer data to XML, if using a database container an table with long field names, converting the data to XML with CURSORTOXML and XMLTOCURSOR will maintain the long field names in the XML file. ...
    (microsoft.public.fox.programmer.exchange)
  • Re: Secure password storing
    ... The reason why I can't store a hash is that the ... with a symetric key, there are loads of free libraries out there that will ... passport system are only storing hash of the passwords. ...
    (microsoft.public.dotnet.general)
  • Re: (OT) lincense protection generator
    ... Jarek Zgoda wrote: ... It could be a long string and then take a hash from it and store the hash value. ... generate sha1 sum of general machine configuration and store it on random internet node. ... These people are, to put it mildly, not the most computer savant people around. ...
    (comp.lang.python)