Click here to Skip to main content
Click here to Skip to main content

Securing Web Accounts

, 5 Oct 2003
Rate this:
Please Sign up or sign in to vote.
Here we would briefly see how to keep accounts (signups) in online websites in a more secure way.

Introduction

Most of us developing web applications normally use username and password combinations to authenticate and authorize users before they use the services of the applications. The passwords by default get stored in a database. Normally we use some string scrambling to store passwords to protect from prying eyes. But an intruder with a deterministic aspiration to get hold of member accounts can still use some brute force algorithm to get those passwords.

This article does not attempt to cover coding level requirements but attempts to convey the need of strong passwords and stronger security arrangements that are needed to keep our web applications safe from prying eyes.

Perhaps with this intention, I hope to cover this "Passwords and Strong Security Measures" step-by-step for benefit of readers, from the experiences I have gained, while developing Application Security Services for an application.

Message Digest 5 (MD5) Algorithm

In MD5 algorithm, we normally use the MD5CryptoServiceProvider to calculate the hash string of the value to be encrypted and store the hashed value into the database. Next time, when the password is required to be computed, we take the input string, use the same algorithm to compute the hash and compare the hash strings. By this way, the current password is retained safe and secure at least to a reasonable level.

Now, we need to discuss the issues like how does one confront issues like lost passwords. Passwords that are forgotten and if they are stored in MD5 algorithm cannot be reset as is. The only way is to regenerate a new password set, hash it and store it in the database. Perhaps this new regenerated password can be supplied to the user and the user can be forced to select a new password next time he logs in so that the generated and the spread password vulnerability can be offset.

Of course, it all depends upon the significance and criticality of the application to be secured. There are websites like Zend.com, which give only 2 hours for the new password generation request URL to be active, after which the request expires and a new password request has to be submitted later.

Generating a MD5 Hash

  1. Programming languages like PHP have built in support for MD5 generation.
  2. In C# (.NET Framework Language), we use the following simple code framework to generate MD5 Cryptographic Hash. Perhaps a simple code snippet from here.
        // First we need to convert the string into bytes, which
        // means using a text encoder.
        Encoder enc = System.Text.Encoding.Unicode.GetEncoder();
    
        // Create a buffer large enough to hold the string
        byte[] unicodeText = new byte[str.Length * 2];
        enc.GetBytes(str.ToCharArray(), 0, str.Length, unicodeText, 0, true);
    
        // Now that we have a byte array we can ask the CSP to hash it
        MD5 md5 = new MD5CryptoServiceProvider();
        byte[] result = md5.ComputeHash(unicodeText);
    
        // Build the final string by converting each byte
        // into hex and appending it to a StringBuilder
        StringBuilder sb = new StringBuilder();
        for (int i=0;i<RESULT.LENGTH;I++) pre < sb.ToString(); 
          return it And } sb.Append(result[i].ToString(?X2?)); {>
  3. Even with ASP, there are a couple of MD5 functions available to hash the strings and store and compare hashed values instead of encryptions and decryptions.

Summarizing...

I hope the above would be a starter information on Message Digest 5 Authentication. Perhaps in a later article, we would see about "Strong Passwords and Tools" to ensure that the passwords that are accepted and used by the application are not vulnerable to worms, viruses or for prying eyes.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Vasudevan Deepak Kumar
Software Developer
India India
Vasudevan Deepak Kumar is from Chennai, India who has been in the programming career since 1994, when he was 15 years old. He has his Bachelors of Engineering (in Computer Science and Engineering) from Vellore Engineering College. He also has a MBA in Systems from Alagappa University, Karaikudi, India.
He started his programming career with GWBasic and then in his college was involved in developing programs in Fortran, Cobol, C++. He has been developing in Microsoft technologies like ASP, SQLServer 2000.
His current focus is ASP.NET, C#, VB.NET, PHP, SQL Server and MySQL. In his past-time, he listens to polite Carnatic Music. But the big question is that with his current Todolist backlog, does he get some past time?
Follow on   Twitter   LinkedIn

Comments and Discussions

 
QuestionBut how to compare? PinsussAnonymous15-Jun-04 20:24 
AnswerRe: But how to compare? PinsussAnonymous16-Jun-04 18:24 
Let me also say that after doing compute hash, I do the for loop, looping over each byte and converting it byte->ToString("X2")
 
I am still unable to obtain a matching string.
AnswerRe: But how to compare? PinsussAnonymous16-Jun-04 18:24 
GeneralSuggested Correction PinmemberAndre Velloso3-Jun-04 0:56 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140709.1 | Last Updated 6 Oct 2003
Article Copyright 2003 by Vasudevan Deepak Kumar
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid