I have compiled an assembly using the Microsoft Strong Name key convention and marked it to be "AllowPartiallyTrusted". I am testing the application against this assembly from two different machines. One is running windows 2003 server and the other machine is on windows XP Professional. I am able to invoke the methods on the assembly f...
On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based of initialization function used in the NIST approved blowfish algorithm seems almost to good to be true. It is not vulnerable to rainbow tables (since creating them is too expensive) and not even vuln...
I am essentially storing a private key (Hash) in any of the OctetString attributes within Active Directory. My question is, what attribute is secure by default and makes sense to keep private data there? This value should be considered similar to a password, where even administrators shouldn't have access (if possible), just like the c...
I've heard quite a few reasons for storing hashed passwords in a database. However, there are almost always options in authentications APIs to store passwords as plain text or encrypted. Is there ever a reason you would want to store a password as plain text or encrypted in a database? Note To be clear I know that storing non-hashed ...
I am using PHP and MySQL and I want to sell my Digital EBooks on line. I want to give a Download Link to my clients who buys my EBook but I want to secure my digital download links to work for only 3 times and the Download Link should be deleted automatically after 24 hours or after 3 tries to downloads. How can I fulfill this requirem...
Is it safe to share data between flash and javascript using ExternalInterface? I'm building a game where I want to pass scores to js, not sure if this is safe enough. Thanks ...
I'm using Zend_Auth with setCredentialTreatment to set the hash method and salt. I see all examples doing something like this, where the salt seems to be inserted as a text. ->setCredentialTreatment('SHA1(CONCAT(?,salt))' but my salt is stored in the database. I could retrieve it first then use it in setCredentialTreatment but is t...
We are building a service that uses location-based pricing. The user can input an address and see prices in his area as determined by various server-side algorithms. It is then possible to order items based on these prices. I'm trying to figure out if there is a way we can use client-side geocoding in this scenario (to avoid hitting Goo...
After looking into our login system to add some new features, I found out that it isn't very secure. The auth cookie was the encryption of user id, stamp, version, PASSWORD IN THE RAW, and a cookie id At least I can say I am not the one who did it like that, a previous developer did. (Yes, I know that password should be saved as a hash i...
What I'm trying to do is setup a call to a service on another server. So far.. I've created the proxy and got the config information. What I'm having trouble finding is how to set the security. They are using message security and client certificates. here is my app.config file..what I have so far. Any information on setting the sec...
I am trying to create a class that can display debug string in a separate console than the program that uses it, either a form or another console. The idea is to have your program run normally, but have all the debug messages in another console. Since a process can only have one console at a time, I start my debug console in another proc...
Hello. I'm about to begin building an e-commerce website using c#, ASP.Net MVC 2, IIS7 and SQL 2008. The site will allow users to login, make purchases, and manage their orders. Obviously, there's a need for strong security here. I've been searching around on SO and Google for a single definitive guide that covers enough on security ...
I am currently exploring Zend_Auth, part of Zend Framework, but am dissapointed with the lack of more advanced features such as nonces, authentication tokens, lock-out, etc. In one of my recent projects, I implemented an authentication and ACL (Access Control List) scheme that has the following features: Salted hashes Automatic IP addr...
I've been tasked to build a system that allows someone in our company to send out an email with a link to a pdf file that will be kept on our webserver. The recipient can follow the link to view a newsletter we normally sell. The idea is we do this for three months, then see if they'd like to continue and pay for the full subscription. ...
During the installations that require multiple restarts, the installers are configured to accept the user's login credentials (User name and Password). After the installation this credential would be used for logging into the computer and continuing the installation activity. In such cases is it advisable to provide the user credential...
Hi, I need to request a URL from a server that uses client certificates for authentication and can't find a way to do this for my application. My problem is that the Java client I'm working on has the certificate file available locally but due to restrictions on the PCs it will be running on it cannot install the certificate in a keyst...
I'm working on a internal web application (only employees can log in) and need some help figuring out a good approach to handling an individual users permissions to the system. The system itself is in C# / ASP.NET (4.0 / Webforms / Forms Authentication) / SQL Server 2008 and has several different areas which will have varying sets of p...
So I want to create a user account in Windows 2003 with Active Directory utilizing JNDI. I am following the following example: http://forums.sun.com/thread.jspa?threadID=582103 (first post). The following code is throwing an LDAP error I believe due to a chicken and egg problem of creating a user and then setting a password that is const...
Can I avoid all SQL-injection attacks by using parameters? And don't worry about any thing in SQL injection in this case? Or are there some types of these attacks which require more care on the part of the programmer? ...
I am using actionscript to connect to my socket server, but I always got <policy-file-request/> sent from actionscript and after that the conneciton is closed. The code in actionscript is: protected function connect_to_server_btn_clickHandler(event:MouseEvent):void { Security.loadPolicyFile("http://192.16...