Re: Simple VB.NET Web Application Encryption/Decryption of password

From: Michael Giagnocavo [MVP] (mggUNSPAM_at_Atrevido.net)
Date: 11/14/03

Next message: Bradley Plett: "Re: Security problem for control in browser"
Previous message: Fred Nelson: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
In reply to: Fred Nelson: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
Next in thread: Alek Davis: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 13 Nov 2003 20:57:32 -0600

It'll be something like this:

Imports System.Security.Cryptography
Imports System.Text

Public Function Hash(string username, string password)
    Dim salt as byte() = Encoding.UTF8.GetBytes(username.ToUpper()) 'Salt is
the username, case insensitive
    'Use SHA1 hash algorithm, iterate 2**10 times (adds some strength to the
passwords, as far as brute forcing the hash. Consider replacing with a
higher number of iterations if your app can handle the perf impact (spending
about 1 second of CPU on hashing the password sounds good)
    PasswordDeriveBytes pdb = new PasswordDeriveBytes(password, salt,
"SHA1", 1024)
    return Convert.ToBase64String(pdb.GetBytes(32)) ' Return 20bytes
(160bits, the size of the output from SHA1) as a Base64 string
End function

That should do it (haven't written any VB code for a while).

-mike
MVP

"Fred Nelson" <fred@smartybird.com> wrote in message
news:eo3SM8kqDHA.2592@TK2MSFTNGP10.phx.gbl...
> Michael:
>
> Thanks for your reply - you are right that the password should be one way
> and since tomorrow is Friday I can get "away" with coding this change over
> the weekend.
>
> The example that you had me link to was written in C# and I'm a fairly new
> VB.NET programmer. I can handle the logic of creating, encrypting, and
> sending the password if I can figure out how to encrypt it.
>
> Do you have a one-way encryption example that you can point me to?
>
> Thanks again for your help - I appreciate it.
>
> Fred
>
>
> "Michael Giagnocavo [MVP]" <mggUNSPAM@Atrevido.net> wrote in message
> news:u2K6zkkqDHA.1960@TK2MSFTNGP12.phx.gbl...
> > > A one-way encryption won't work since I need to be able to e-mail
users
> > > their password if they loose it.
> >
> > You should email them a newly generated password instead. This is
better
> A)
> > because it's far more secure -- reversible encryption means dealing with
> > storing the key and B) The user is notified when the password is reset.
> > Suppose I ask for the password to be emailed and intercept it (I stroll
by
> > his computer for 10 seconds or whatever other attack). Then I delete
the
> > email. I now have his password and he doesn't know that it's been
> changed.
> > Now I'm doing actions that Bob is going to be held responsible for
(since
> > he'll have made other valid actions during the same time period). Not
> good.
> > If the password is reset to something random, then the true user notices
> > this because he can no longer log in.
> >
> > > I have searched MSDN and there are obviously many VERY complex
> encryption
> > > services available - I don't need certificates or PKI, Kerberos, etc -
> > just
> > > something simple:
> >
> > If you MUST do a reversible password storage (like someone has a pistol
to
> > your head), get someone else to sign off on it so when someone steals
all
> > the passwords transparently (via email or a database hack), you can
> > hopefully get someone else's head chopped and not yours.
> >
> > http://blogs.gotdotnet.com/ivanmed/ has a nice sample (under noteworthy
> > posts at the top of the page) of doing two way password based
encryption.
> >
> > -mike
> > MVP
> >
> >
>
>

Next message: Bradley Plett: "Re: Security problem for control in browser"
Previous message: Fred Nelson: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
In reply to: Fred Nelson: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
Next in thread: Alek Davis: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
... signed messages using UserName stuff. ... do response encryption, but I added that and it's working to great effect. ... I'm at a loss on how to add an "authorization assertion" to ... between client and server using a UserNameToken that passes the UserName ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: one way permutation?
... with a name, get the salt from the row, do the computation ... In this case, you can use symmetric encryption, in a way that I will ... This isn't absolutely guaranteed against collisions, ... The username and password are encrypted, ...
(sci.crypt)
Re: A quick question before I kill myself... (XP EFS)
... Encryption key is tied to profile and user under which it was first created ... Since you still have your old profile, username and everything else there is ... Administrator) changes your username's (e.g. tje) password you will lose ...
(microsoft.public.windowsxp.security_admin)
Re: Internal String Visibility
... Public Function EasyEncrypt(Plaintext As String) As String ... ' Painfully simple encryption for comments etc. ... Dim n As Integer ...
(microsoft.public.vb.general.discussion)
Re: vb & mssql apps : security issue
... And I still don't know where to secure uid/pw on my complied code above. ... >> You could have the password an encryption of the username. ... > own encryption it should be one of the standard, published algorithms ...
(microsoft.public.sqlserver.security)