protecting password

[solomon_13000]

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

 

[Evertjan.]

solomon_13000 wrote on 14 jun 2006 in
microsoft.public.inetserver.asp.general:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

By not showing it on your website?

Protect against whom, btw?

I suspect every record in your table has a field called "password".

 

[solomon_13000]

Protect from hackers who could probably intercept the password as it
travels from a secure to unsecure to secure network.

 

[Rob Meade]

...

Protect from hackers who could probably intercept the password as it
travels from a secure to unsecure to secure network.

client-side hash of the password before sending it....
SSL whilst in transit
store a hashed password instead of plain text...

Just a few thoughts..

Regards

Rob

 

[Bob Lehmann]

Why are you passing a visible password from a secure to an unsecured
network?

Bob Lehmann

 

[solomon_13000]

Because its an internet based application.

 

[Evertjan.]

solomon_13000 wrote on 15 jun 2006 in
microsoft.public.inetserver.asp.general:

[please do not toppost on usenet]

Because its an internet based application.

You seem to be answering yourself an unasked question?

 

[solomon_13000]

I was asked:

Why are you passing a visible password from a secure to an unsecured
network?

My answer: Because its an internet based application

secure: hosting company server (I dont own the company)
unsecured: internet (free space)
end user: anyone including me

So if I have a login page, I supply my password and username, press the
submit button, the information will travel from the end user to the
hosting company server via an unsecured network, validated and the
results will be returned (true/false). Now anyone could possibly
intercept the password and username and do alot of damange if its not
secured.

 

[Evertjan.]

solomon_13000 wrote on 15 jun 2006 in
microsoft.public.inetserver.asp.general:

I was asked:

Why are you passing a visible password from a secure to an unsecured
network?

My answer: Because its an internet based application

secure: hosting company server (I dont own the company)

a network?

unsecured: internet (free space)
end user: anyone including me

So if I have a login page, I supply my password and username, press the
submit button, the information will travel from the end user to the
hosting company server via an unsecured network, validated and the
results will be returned (true/false). Now anyone could possibly
intercept the password and username and do alot of damange if its not
secured.

Secure HyperText Transfer Protocol.
<http://en.wikipedia.org/wiki/Secure_hypertext_transfer_protocol>

Or use one-time passwords.

 

[Anthony Jones]

How do I protect the password stored in the database.

The best way would be to store a hash of the password, rather than the
password itself. Microsoft has a redistributable API[1] that you can use
to generate the hash. Below I have included a function that demonstrates
the use of this API in VBScript.

' Function: Hash
' Generate a hash of a string value using the SHA1 algorithm.
'
' Arguments:
' value - The text to process
'
' Returns:
' A string containing the hexadecimal representation of the
' hash value.
Function Hash(value)
Dim data: Set data = CreateObject("CAPICOM.HashedData")
data.Algorithm = 0 ' CAPICOM_HASH_ALGORITHM_SHA1
data.Hash value
Hash = data.Value
End Function

When the visitor creates his account, you would use a function such as
this to generate a hash of the password he provided, and store that in the
database. Later, when the user logs in to your site, you would again
generate a hash of the password he provides and compare it to the one you
stored previously.

Keep in mind that, regardless of the length of the password, the hash will
be 40 characters long. Your database schema will need to reflect this.

[1] Platform SDK Redistributable: CAPICOM
http://www.microsoft.com/downloads/...3a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en

There are a couple of problems with this approach.

First it requires a component to be installed on the client which the client
may not want to do.

Secondly just hashing the password on it's own doesn't really help, the
attacker only needs to re-use the hash to gain access.

To overcome the first limitation I've found the JS on the site to be
effective:-

http://pajhome.org.uk/crypt/md5/

Server side I still use binary APIs.

To overcome the second limitiation a challange/response approach needs to be
developed.

For example the code in the login page could contain a Nonce value (a value
which is unique and is only ever used this one time). The password and the
Nonce (I usually add the user name as well) are combined into a single
string from which the hash is derived.
The Nonce, Hash and username are sent to the server. The server looks up
the users password combines it with the Nonce and user name and should
generate a matching Hash.

Of course this requires the database contain the user password as plain
text. If this is a problem then a hash could be held and have the client
hash the password before using it in combination with the Nonce and hashing
a second time.

For a stronger solution the Nonce should have a short life time where it
expires whether it has been used or not. This can be implemented using
XMLHTTPRequest to fetch a nonce just prior to posting the login form.

Anthony.

 

[Anthony Jones]

On Wed, 14 Jun 2006 08:11:55 -0500, solomon_13000

How do I protect the password stored in the database.

The best way would be to store a hash of the password, rather than the
password itself. Microsoft has a redistributable API[1] that you can use
to generate the hash. Below I have included a function that demonstrates
the use of this API in VBScript.

' Function: Hash
' Generate a hash of a string value using the SHA1 algorithm.
'
' Arguments:
' value - The text to process
'
' Returns:
' A string containing the hexadecimal representation of the
' hash value.
Function Hash(value)
Dim data: Set data = CreateObject("CAPICOM.HashedData")
data.Algorithm = 0 ' CAPICOM_HASH_ALGORITHM_SHA1
data.Hash value
Hash = data.Value
End Function

There are a couple of problems with this approach.

First it requires a component to be installed on the client which the
client
may not want to do.

Actually, I ment that this be used server-side, to protect the password in
the database from prying eyes. You're right that it would not be useful
client side, but SSL would be more appropriate for that, anyway.

Thanks Justin I misunderstood you.

SSL would seem to be a better way but then you need to get a trusted
certificate (for which there may be a cost) and I've not found a way to
seemlessly transition from https to a http.

Without a trusted certificate the users are likely to get warnings that may
put them off.

A response.redirect from https to http also typically puts up a worrying
warning to the user. I've tried meta refresh but it will ignore the http
URL in the content attribute.

Any ideas, just curious?

 

[Anthony Jones]

True, and for good reason. A certificate that has not been signed by a
trusted authority would still be usable for encrypting the transmission,
but would be vulnerable to man-in-the-middle attacks.


I'm not aware of any way around that, and it seems to be SOP on the web,
anyway. I don't expect people to get very far without running into that
warning message. You could always just stick with SSL once you use it, but
then your visitors on dialup will hate you for rendering all the images
uncachable.

Not to mention the extra load on your server. Therefore I don't really
consider SSL a good solution for login bearing in mind a fairly strong
challange/response login can be created without it. SSL really becomes
useful when you need to send something to a server that it hasn't seen
before and/or shouldn't store e.g., Credit card details or the initial
username/password creation.

 

[Anthony Jones]

You honestly think you can build a strong login without it?

If Challange/Response MD5 or SHA1 is not strong enough for you then no
otherwise yes. After all if you really need it be very strong it's likely
you'd want all the content protected by SSL.

And without taxing your server more than SSL does, at that?

My point was I've not at this time been able to create smooth transition for
the a SSL protected Logon page to general unprotected content. Hence either
I scare the user with nasty 'You might be posting data in a unsecure way'
sort of message or I run the whole site in SSL which would definitely demand
more of the server than is necessary.

However, I'd be interested in techniques that allowed SSL to be used for
login only but did not involved scary message being given to the user. Any
ideas?

 

[Anthony Jones]

What version of IE are you seeing this behavior in? I have 6.0.3790.1830
(W2k3 SP1), and it seems to handle meta refresh correctly. I've included
the script I used to test below. Change the ``Script`` constant to
something appropriate.

<% Option Explicit

Const Script = "localhost/login.asp"

Dim action, secure
action = Request.Form("action")
secure = Request.ServerVariables("HTTPS")
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Default</title>
<% If action="login" Then %>
<meta http-equiv="refresh"
content="0;url=http://<%= Script %>">
<% End If %>
</head>
<body>
<div>Secure: <%= secure %></div>
<div>Action: <%= action %></div>
<form method="post" action="https://<%= Script %>">
<input type="submit" name="action" value="login">
</form>
</body>
</html>

I was missing the url= from the content attribute. It works fine now
thanks. It is certainly a better solution if you already have a trusted
certificate.

 

[Dave Anderson]

If Challange/Response MD5 or SHA1 is not strong enough for
you then no otherwise yes.

But either of those implemented on the client is still vulnerable to
man-in-the-middle attacks, just as SSL without trust is. But you knew that.

...I'd be interested in techniques that allowed SSL to be used
for login only but did not involved scary message being given
to the user. Any ideas?

Login at amazon.com.

 

[Anthony Jones]

But either of those implemented on the client is still vulnerable to
man-in-the-middle attacks, just as SSL without trust is. But you knew that.

Yes I did but even a logon created using trusted SSL is still vunerable to
man-in-the-middle attacks when the session in general operates over
unencrypted http. The attack is unable to actually reveal the password for
later use. The objective of this technique is simply to protect the
password. If the session needs protecting or the content then SSL is needed
for the whole session.

Login at amazon.com.

Yes Justin has put me right on this already. With a trusted certificate for
a single machine I would prefer SSL too. Gets a little tricky on IIS to
support multiple SSL websites though and not all my clients want to the
hassle. Clients are nervous about the idea of the password itself floating
about on the internet unencrypted so what I've proposed suits them, their
not exactly MI5.