protect passwords in database

[Alfa & Omega]

i have application whiwh uses username and password for each user ..

All is in Microsoft access base on user's hard drive..

How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?

how? any link or explanation would be great..

I'm using .NET C#, Framework 1.1

BR

 

[Nicholas Paldino [.NET/C# MVP]]

Alfa,

You shouldn't encrypt passwords period. With enough time and processing
power, someone will break it (although some algoritms are more likely to be
broken than others).

What you need to do is use a hash. Take a hash of the password and then
recreate it when people log in. If the hashes match, then you can allow
them to log in. The reason a hash works is that you can not recreate the
password from the hash, it is a one-way transformation.

Hope this helps.

 

[adebaene]

i have application whiwh uses username and password for each user ..

All is in Microsoft access base on user's hard drive..

How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?

how? any link or explanation would be great..

Not crypting, but hashing them : Take the clear password, give it to an
hash algorithm (SHA-1 for example) and store the resulting hash in the
database. When you want to check a user-supplied password, hash it
using the same algorithm and compare the 2 hashed values (the one you
just computed and the one stored int he database).

Arnaud
MVP - VC

 

[Alfa & Omega]

|
| Not crypting, but hashing them : Take the clear password, give it to an
| hash algorithm (SHA-1 for example) and store the resulting hash in the
| database. When you want to check a user-supplied password, hash it
| using the same algorithm and compare the 2 hashed values (the one you
| just computed and the one stored int he database).
|


Thanks for advices, adebaene and Nicholas....

That's all I need..but I just found this: http://www.codeproject.com/cpp/rehash.asp
http://www.codeproject.com/dotnet/HackingMd5.asp

md5 cracked or it's fake??

BR
Igor

 

[Arnaud Debaene]

|
| Not crypting, but hashing them : Take the clear password, give it to an
| hash algorithm (SHA-1 for example) and store the resulting hash in the
| database. When you want to check a user-supplied password, hash it
| using the same algorithm and compare the 2 hashed values (the one you
| just computed and the one stored int he database).
|


Thanks for advices, adebaene and Nicholas....

That's all I need..but I just found this:
http://www.codeproject.com/cpp/rehash.asp
http://www.codeproject.com/dotnet/HackingMd5.asp

md5 cracked or it's fake??

MD5 is known to have a few weaknesses, that's why I suggested SHA-1.

Arnaud
MVP - VC

 

[Jon Skeet [C# MVP]]

Not crypting, but hashing them : Take the clear password, give it to an
hash algorithm (SHA-1 for example) and store the resulting hash in the
database. When you want to check a user-supplied password, hash it
using the same algorithm and compare the 2 hashed values (the one you
just computed and the one stored int he database).

Note that there are times when you *do* want to store an encrypted
password. Web browsers do it all the time, for instance - they save
passwords from forms, and need to present the same password later on.
Likewise Eclipse remembers my Subversion password.

I believe the Windows Cryptography API allows this to be tied closely
and reasonably safely to the current user.

If you only need to *verify* passwords, however, hashing is the right
way to go.

 

[Thomas T. Veldhouse]

i have application whiwh uses username and password for each user ..

All is in Microsoft access base on user's hard drive..

How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?

You shouldn't use a cipher, but rather a hash .. unless you want the password
to be recoverable, but that is less secure.

Use an MD5 has to hash the password. Then, when a user types their password,
you run the MD5 has of that password and compare the result to what is in teh
database.

The reason a hash is better than crypto (like DES) is that it is a one way
algorithm, so there is no chance of somebody stealing the database and
recovering all the passwords from it. With a cipher, they are subject to
brute force hacks.

 

[Thomas T. Veldhouse]

MD5 is known to have a few weaknesses, that's why I suggested SHA-1.

Out of curiosity, what weaknesses? My FreeBSD boxes use them to great effect.

 

[John B]

Out of curiosity, what weaknesses? My FreeBSD boxes use them to great effect.

md5 has been proven to have collisions. ie two values producing the same
hash.
Same for sha1, I believe that sha256 is recommended (over sha1) at the
moment.

In reality the chances are infinitesimally small of a collision actually
happening but if we can easily code around even that small chance then
why not.

Do a google search on sha1 collision and md5 collision for more info.

JB

 

[John B]

i have application whiwh uses username and password for each user ..

All is in Microsoft access base on user's hard drive..

How can I protect that database from preveting user viewing it...or how can I prtect passwords?
maybe by cripting them?

how? any link or explanation would be great..

I'm using .NET C#, Framework 1.1

BR

As well as what everyone else has said about using hashes, consider a
good salting scheme as well, so that two same passwords do not produce
the same hash.

JB

 

[Jon Skeet [C# MVP]]

md5 has been proven to have collisions. ie two values producing the same
hash.

All hash codes will have collisions. That much is clear just from the
pigeon-hole principle. The concern isn't that there *are* collisions -
it's that they can be engineered deliberately.

From what I remember of the MD5 "hole", it wouldn't actually help
anyone to break into such a system. Of course, it's worth researching
what the hole actually is rather than just taking my word for it.

 

[John B]

All hash codes will have collisions. That much is clear just from the
pigeon-hole principle. The concern isn't that there *are* collisions -
it's that they can be engineered deliberately.

Agreed, sorry.

From what I remember of the MD5 "hole", it wouldn't actually help
anyone to break into such a system. Of course, it's worth researching
what the hole actually is rather than just taking my word for it.

In an interesting side note, the md5 'weakness' was actually used in a
defense against a traffic notice here in Australia recently.
A picture was taken, md5 hash generated for it and the person driving
argued in court that since md5 was 'broken' it was invalid.
The traffic authority was given a period of time to produce expert
witnesses to refute this claim and since they didn't, the case was
thrown out.

JB

 

[Arnaud Debaene]

In an interesting side note, the md5 'weakness' was actually used in a
defense against a traffic notice here in Australia recently.
A picture was taken, md5 hash generated for it and the person driving
argued in court that since md5 was 'broken' it was invalid.
The traffic authority was given a period of time to produce expert
witnesses to refute this claim and since they didn't, the case was thrown
out.

Geee... Lawers will be the last survivors after an atomic holocaust.... :-(

Arnaud
MVP - VC

 

[Alfa & Omega]

|
| > From what I remember of the MD5 "hole", it wouldn't actually help
| > anyone to break into such a system. Of course, it's worth researching
| > what the hole actually is rather than just taking my word for it.
| >
| In an interesting side note, the md5 'weakness' was actually used in a
| defense against a traffic notice here in Australia recently.
| A picture was taken, md5 hash generated for it and the person driving
| argued in court that since md5 was 'broken' it was invalid.
| The traffic authority was given a period of time to produce expert
| witnesses to refute this claim and since they didn't, the case was
| thrown out.
|
| JB

he he....lol ,)..

can't believe this.....