Recommended Posts

  On 21/07/2013 at 18:48, Joe USer said:

Just another tip, hiding your password creation and verification routines isn't a bad idea.

 

I like to use used an encrypted stored procedure in the database server for logins(In my case MSSQL). You feed it the user name and password, it returns true or false. You can, of course, get more complex, but the design rule was that all logins are validated through the one procedure. You can call it from another proc, from the web server or from any other front end, but that SP was the only way to validate a login.

I can't imagine that being very secure, if somebody attacks your database (Which is pretty much going to be the attack vector) they've then got your custom method for authenticating users.

If the method was properly secure, you could tell the attacker exactly how you're doing it and they still wouldn't be able to break it (Just because the attacker knows you're using bcrypt, doesn't make bcrypt any less secure, etc.)

Not really, you're not adding any actual extra work for the attacker, they still just have to come up with one password to test.

Edit: The hard part isn't "How many times do I run SHA", it's "What do I feed the hash function?", adding 3 hash iterations isn't any harder than just 1 hash iteration, it's just ever so slightly slower.

  On 22/07/2013 at 06:36, The_Decryptor said:

I can't imagine that being very secure, if somebody attacks your database (Which is pretty much going to be the attack vector) they've then got your custom method for authenticating users.

If the method was properly secure, you could tell the attacker exactly how you're doing it and they still wouldn't be able to break it (Just because the attacker knows you're using bcrypt, doesn't make bcrypt any less secure, etc.)

 

First off, the production database server doesn't see the Internet. It doesn't even have a default gateway. It's locked down to VPN and local server access only.

Second, The stored procedure is compiled with encryption, it's not easily editable, and they would have to break the database security system to figure out how to decrypt it.

Third, I'm using bcrypt, but it's not on the forward facing server, it's out of sight in a stored procedure with much tighter security.

 

So, after breaking the VPN, breaking domain security, and breaking SQL Server security, they've figured out I'm using bcrypt. 

 

Now, if we coded security at the web tier, someone could break into the public facing server and figure out what we're using in far less time. Why make it easy on them?

If they get access to your web server chances are they'll get access to your database server.

If you think that just because one server itself doesn't have the internet makes it untouchable, you've got a lot to learn. A very early example of netcat was exactly that, hack a web front end, put a netcat remote listener on and then you do what you want to the database server as if it was on the internet.

  • 1 month later...
This topic is now closed to further replies.
  • Posts

    • WhatsApp document scanning gets closer to launch as more beta testers get access by Paul Hill Meta looks as though it’s getting closer to releasing WhatsApp’s native document scanner on Android because more people are now reporting they have access in the beta. This will give users a privacy-friendly way to snap photos of documents and automatically convert them to PDF ready for sharing. According to WABetaInfo, the feature comes with two modes: manual and automatic. The manual capture gives users more control over the process allowing them to adjust positioning and lighting to get the best quality scan. Automatic mode on the other hand automatically detects the edge of your document on its own and snaps the image without too much user input, making it faster and easier. Once the picture is taken, WhatsApp automatically converts it to a PDF file so that it can be shared and opened easily by the recipient. The file can be sent within private chats or group conversations. The entire scanning and conversion process takes place locally on your device, using Android’s built-in API for snapping documents. The document itself is also only stored locally until you decide to send it. Just like other WhatsApp messages, these scans are secured with end-to-end encryption when you send them to recipients. The only privacy risk is the user sending the PDF to the wrong person. The new feature was first noticed for Android a few weeks ago and with the latest beta it’s rolling out to more people. Once Meta has tested it across a wide array of devices, we will likely see it land for people on the stable version of WhatsApp. In recent weeks, we have also seen that Meta is testing new chat color themes in the beta releases. That feature doesn’t seem to have filtered down to the stable version yet, so be on the lookout for that too if that’s of interest to you.
    • Silly, illinformed comment but thanks for playing anyway. I mean, are you actually comparing a default browser on well over a billion devices with Firefox?
    • Of course you haven't. Microsoft evangelical James is making *hit up.
    • The way time and things are going, Mozilla might oneday surprise everybody by giving up Firefox estimating "no future growth potential" and moving it to the security and maintenance updates only mode. We've seen something like that before ... and Mozilla still doing it.
  • Recent Achievements

    • Collaborator
      Mighty Pen went up a rank
      Collaborator
    • Week One Done
      emptyother earned a badge
      Week One Done
    • Week One Done
      DarkWun earned a badge
      Week One Done
    • Very Popular
      valkyr09 earned a badge
      Very Popular
    • Week One Done
      suprememobiles earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      564
    2. 2
      +FloatingFatMan
      184
    3. 3
      ATLien_0
      175
    4. 4
      Xenon
      111
    5. 5
      Skyfrog
      111
  • Tell a friend

    Love Neowin? Tell a friend!