Salted Hashed Passwords

Posted on July 26, 2011 by erictummers

Saving passwords for your application must be done with caution. Especialy when securing websites. Leaked databases have been exposed all over the internet.
In the event your database is exposed you want to make it as hard as possible to crack the passwords, so you have enought time to inform your users and let them change their passwords. Maybe event disable the users that haven’t changed their passwords.
I’ve written a util class that generates a salt and hashes strings (like passwords) with a salt. Using a salt to encrypt the password makes it hard to crack it. The salt is attached to the password and than the complete string is encrypted with the key. See below:

public static class SaltUtil
{
    public static string GenerateRandomSalt()
    {
        // use Random Number Generator
        RNGCryptoServiceProvider algoritm = new RNGCryptoServiceProvider();    
        // request a byte array with random numbers of length 16
        byte[] buff = new byte[16];
        algoritm.GetBytes(buff);    
        // return the string respresentation
        return Convert.ToBase64String(buff);
    }
    public static string GenerateSaltedHash(string password, string salt) 
    {
        System.Text.UTF8Encoding encoding = new System.Text.UTF8Encoding();
        // use SHA256 bit
        byte[] key = encoding.GetBytes("Your key here");
        HashAlgorithm algorithm = new HMACSHA256(key);
        // combine password and salt
        byte[] combinedPasswordAndSalt = encoding.GetBytes(string.Concat(password, salt));
        // compute the hash from password with salt
        byte[] hash = algorithm.ComputeHash(combinedPasswordAndSalt);
        // return the string representation
        return Convert.ToBase64String(hash);
    }
}

On creation of a user you can generate a salt and hash the password. ! Make sure to save the salt as the code will generate a new salt every time !
Feel free to use this code and to comment on this below.

Posted in Security | Tagged , , , , | Leave a comment

My OpenDNS free setup

Posted on June 17, 2011 by erictummers

Look at the right side of my wordpress page and you’ll see the image saying you’re (not) using OpenDNS.
Some time ago a post on lifehacker pointed me to OpenDNS. After the signup I changed the dns settings on my Wifi router and forgot about it for a while. Default the malware/botnet and phishing protection are enabled.
Then I remembered opendns and started using some other features.

  • I installed the OpenDNS-updater to update the network settings whenever I was at work.
  • To see the usage of internet I configured two networks for opendns to monitor, one called home and one called work. The stats on opendns now can be filtered based on the two networks.
  • I noticed the option of black-lists, where a certain request can be denied based on the domain. To reduce the amount of adds I added doubleclick.net to the rules with the allways block setting.
    Blocked doubleclick.net add
    Even the linkedin website uses this domain for its adds. And now it will never reach me again 😉

Future usage will be blocking some more based on it’s content for when my kids will be browsing the internet. Maybe I can ask my boss for a raise when I can show him my traffic stats after hours.

Posted in Tooling | Tagged , , | Leave a comment

Onavo datashrink

Posted on June 5, 2011 by erictummers

I recently installed onavo for iPhone. My idea was that shrinking the data not only saves money, but also waiting times. Also the report about what consumes data and how much is handy.
Onavo sample report monthly usage
After the installation I started the program and a simple wizard helped me change the settings (accept and that’s it) and I was on my way. The first time my e-mail app used the new profile it reported an untrusted certificate, but accepting it solved that.
Onavo reports about 22.34Mb saved in a week. The next week was 40.8Mb. I’m waiting for my bill to see no surprices are on there.
I didn’t notice any speed improvements. Maybe there is nothing to improve as I’m using 3G. Sometimes the connection falls back to GPRS but that is slow as always.
Only downside would be that all my trafic is routed through onavo’s service. Will they play nice with this information?

Posted in Tooling | Tagged , , , | Leave a comment

Move MSOCache

Posted on June 1, 2011 by erictummers

Microsoft Office 2010 has a cache folder so you don’t need the media anymore after the installation. Very handy. Problem is it is 1.26Gb and I want to reclaim the space on mij C-drive. A solution is posted here but not in detail. Here’s my story.

My machine is setup with Boot to VHD. My virtual machine has an Office 2010 installation and a MSOCache folder. My main machine also has an Office 2010 installation and a MSOCache folder. So I deleted the MSOCache folder from my virtual machine and changed the registry settings to point to my main machine MSOCache: search for C:\MSOCache in regedit.exe and replace it with the new location (like 100 times or so). You’ve just saved over a Gigabyte of space in you virtual machine.

Posted in Tooling | Tagged , , , , | 1 Comment

WPF enable next button of Wizard on Validation success

Posted on May 27, 2011 by erictummers

Using a wizard in my application that validates the input. The user must not be able to move to the next page if the validation is not a success. This can be done by disabling the next button when validation failes. The NextButtonEnabled property is hooked to the Validation.HasError property of the inputcontrol. Code sample below.

<wizard:WizardPage x:Name="WizardPage">
    <!--Style that sets the NextButtonEnabled based on validation-->            
    <wizard:WizardPage.Style>
        <Style TargetType="wizard:WizardPage">
            <Style.Triggers>
                <DataTrigger Binding="{Binding ElementName=DataControl,Path=(Validation.HasError), UpdateSourceTrigger=PropertyChanged}" Value="True">
                    <Setter Property="NextButtonEnabled" Value="False" />
                </DataTrigger>
            </Style.Triggers>
        </Style>
    </wizard:WizardPage.Style>
    <!--Input controls-->
    <AdornerDecorator>
        <TextBox Name="DataControl">
            <TextBox.Text>
                <Binding Path="MyValue" UpdateSourceTrigger="PropertyChanged" >
                    <Binding.ValidationRules>
                        <my:NotNullOrEmptyValidationRule ErrorMessage="Supply data"/>
                    </Binding.ValidationRules>
                </Binding>
            </TextBox.Text>
        </TextBox>
    </AdornerDecorator>
</wizard:WizardPage>

This doesn’t cover the user directly clicking the next button, but that is handled by the check in the Unselecting eventhandler.

Posted in Development | Tagged , , , | Leave a comment