User security with .NET and mySQL

views:

answers:

+1 Q:

User security with .NET and mySQL

I feel like I'm kind of inventing the wheel all over but I haven't understood if I can use ASP.NET User Management with mySQL. Not sure if I want to either.

I am designing a web site which requires user management. I use mySQL and .NET 4. Right now I've made a class Register which registers a user, but I am unsure how to protect the password and what to think about when implementing this functionality? I've been thinking of hashing it up with MD5 but it seems futile. The only thing the hash would protect against is me reading the passwords in cleartext. As long as it gets sent over https it's considered quite safe, right? (Feel free to bash me on that one.. I've really no clue really)

How would you do this? Any suggestions are welcome!

EDIT

Thanks for leading me down the right path! I found a couple of interesting questions here (like this one: http://stackoverflow.com/questions/3063773/what-should-i-use-for-password-fields-in-a-table-md5-or-sha1) after I knew what to look for. Looks like hashed password + random salt is the way to go.

+1 A:

You can use ASP.NET User Management with mySQL, just write your MembershipProvider:

Here is an example: http://www.codeproject.com/KB/database/mysqlmembershipprovider.aspx

onof 2010-07-28 11:51:31

This was very useful, thanks!

Phil 2010-07-28 16:15:01

+1 A:

I don't know about using MySQL with the default SQL tables that you can generate for SQL server, but you can implement your own membership provider (deriving from the base ones that come with the framework). This has the advantage that following the same pattern should protect you from some of the common security mistakes that people make.

As for storing the passwords in clear text, you should do some reading... :

http://www.kavoir.com/2010/03/just-hashing-is-far-from-enough-how-to-position-against-dictionary-and-rainbow-attacks.html

Paddy 2010-07-28 11:52:08

Thanks for the link and tip!

Phil 2010-07-28 12:21:26

No problem. Feel free to vote and accept :)

Paddy 2010-07-28 13:52:57

If the server gets compromised, and you store passwords in clear text, the intruder has access to those passwords. While your site may not be worth the trouble, some user's online banking password could be the same thing. (And just about everyone uses the same password, or a very similar one, for multiple sites.) Do you want to be responsible for someone stealing millions from your users?

cHao 2010-07-28 11:52:59

What I meant was, MD5 isn't secure. It's easy to reconvert it to clear text (at least in my experience) and if I'd like to store it more secure than that. Sorry for being unclear.

Phil 2010-07-28 12:19:51

@Phil: You can't reconvert a hash to clear text, even MD5. The best you can do is find a string that generates the same hash, given the same salt -- and that takes a very, VERY long time if the password is decent. Unless you have a PhD in cryptology or something, you don't have the experience necessary to do that on any time scale short of "months".

cHao 2010-07-28 12:40:32

In the case where there's no salt and only the hash I thought it took a short while.. It's mentioned in the article linked to below! "With a mapping table of trillions of hash to cleartext pairs, it takes only 160 seconds to crack the password “Fgpyyih804423” which most of us would generally agree is fairly safe."http://www.kavoir.com/2010/03/just-hashing-is-far-from-enough-how-to-position-against-dictionary-and-rainbow-attacks.html

Phil 2010-07-28 13:03:25

@Phil: yeah, with no salt it can be kinda fast. I just assume you have the good sense to salt your passwords these days.

cHao 2010-07-28 19:31:36

ansaurus

tags:

views:

answers:

User security with .NET and mySQL

related questions