Securing Web Accounts

Introduction

Most of us developing web applications normally use username and password combinations to authenticate and authorize users before they use the services of the applications. The passwords by default get stored in a database. Normally we use some string scrambling to store passwords to protect from prying eyes. But an intruder with a deterministic aspiration to get hold of member accounts can still use some brute force algorithm to get those passwords.

This article does not attempt to cover coding level requirements but attempts to convey the need of strong passwords and stronger security arrangements that are needed to keep our web applications safe from prying eyes.

Perhaps with this intention, I hope to cover this "Passwords and Strong Security Measures" step-by-step for benefit of readers, from the experiences I have gained, while developing Application Security Services for an application.

Message Digest 5 (MD5) Algorithm

In MD5 algorithm, we normally use the MD5CryptoServiceProvider to calculate the hash string of the value to be encrypted and store the hashed value into the database. Next time, when the password is required to be computed, we take the input string, use the same algorithm to compute the hash and compare the hash strings. By this way, the current password is retained safe and secure at least to a reasonable level.

Now, we need to discuss the issues like how does one confront issues like lost passwords. Passwords that are forgotten and if they are stored in MD5 algorithm cannot be reset as is. The only way is to regenerate a new password set, hash it and store it in the database. Perhaps this new regenerated password can be supplied to the user and the user can be forced to select a new password next time he logs in so that the generated and the spread password vulnerability can be offset.

Of course, it all depends upon the significance and criticality of the application to be secured. There are websites like Zend.com, which give only 2 hours for the new password generation request URL to be active, after which the request expires and a new password request has to be submitted later.

Generating a MD5 Hash

1. Programming languages like PHP have built in support for MD5 generation.
2. In C# (.NET Framework Language), we use the following simple code framework to generate MD5 Cryptographic Hash. Perhaps a simple code snippet from here.

       // First we need to convert the string into bytes, which
   
       // means using a text encoder.
   
       Encoder enc = System.Text.Encoding.Unicode.GetEncoder();
   
       // Create a buffer large enough to hold the string
   
       byte[] unicodeText = new byte[str.Length * 2];
       enc.GetBytes(str.ToCharArray(), 0, str.Length, unicodeText, 0, true);
   
       // Now that we have a byte array we can ask the CSP to hash it
   
       MD5 md5 = new MD5CryptoServiceProvider();
       byte[] result = md5.ComputeHash(unicodeText);
   
       // Build the final string by converting each byte
   
       // into hex and appending it to a StringBuilder
   
       StringBuilder sb = new StringBuilder();
       for (int i=0;i<RESULT.LENGTH;I++) pre < sb.ToString(); 
         return it And } sb.Append(result[i].ToString(?X2?)); {>

3. Even with ASP, there are a couple of MD5 functions available to hash the strings and store and compare hashed values instead of encryptions and decryptions.

Summarizing...

I hope the above would be a starter information on Message Digest 5 Authentication. Perhaps in a later article, we would see about "Strong Passwords and Tools" to ensure that the passwords that are accepted and used by the application are not vulnerable to worms, viruses or for prying eyes.