Recommended Posts

  On 21/07/2013 at 18:48, Joe USer said:

Just another tip, hiding your password creation and verification routines isn't a bad idea.

 

I like to use used an encrypted stored procedure in the database server for logins(In my case MSSQL). You feed it the user name and password, it returns true or false. You can, of course, get more complex, but the design rule was that all logins are validated through the one procedure. You can call it from another proc, from the web server or from any other front end, but that SP was the only way to validate a login.

I can't imagine that being very secure, if somebody attacks your database (Which is pretty much going to be the attack vector) they've then got your custom method for authenticating users.

If the method was properly secure, you could tell the attacker exactly how you're doing it and they still wouldn't be able to break it (Just because the attacker knows you're using bcrypt, doesn't make bcrypt any less secure, etc.)

Not really, you're not adding any actual extra work for the attacker, they still just have to come up with one password to test.

Edit: The hard part isn't "How many times do I run SHA", it's "What do I feed the hash function?", adding 3 hash iterations isn't any harder than just 1 hash iteration, it's just ever so slightly slower.

  On 22/07/2013 at 06:36, The_Decryptor said:

I can't imagine that being very secure, if somebody attacks your database (Which is pretty much going to be the attack vector) they've then got your custom method for authenticating users.

If the method was properly secure, you could tell the attacker exactly how you're doing it and they still wouldn't be able to break it (Just because the attacker knows you're using bcrypt, doesn't make bcrypt any less secure, etc.)

 

First off, the production database server doesn't see the Internet. It doesn't even have a default gateway. It's locked down to VPN and local server access only.

Second, The stored procedure is compiled with encryption, it's not easily editable, and they would have to break the database security system to figure out how to decrypt it.

Third, I'm using bcrypt, but it's not on the forward facing server, it's out of sight in a stored procedure with much tighter security.

 

So, after breaking the VPN, breaking domain security, and breaking SQL Server security, they've figured out I'm using bcrypt. 

 

Now, if we coded security at the web tier, someone could break into the public facing server and figure out what we're using in far less time. Why make it easy on them?

If they get access to your web server chances are they'll get access to your database server.

If you think that just because one server itself doesn't have the internet makes it untouchable, you've got a lot to learn. A very early example of netcat was exactly that, hack a web front end, put a netcat remote listener on and then you do what you want to the database server as if it was on the internet.

  • 1 month later...
This topic is now closed to further replies.
  • Posts

    • I think you need to adjust your style of approach. While some were affected by performance issues, and it's not a huge gap... you're acting as if Ryzen couldn't handle 11 at all. Performance issues are purely based on some facts in certain scenarios, while others are not. I see one link with a handful of people discussing the topic. I didn't join those topics or seek them out myself, as I didn't encounter noticeable drops in performance going from 10 to 11. It might also have to be because I don't have my nose stuck up the butt of single digit percentage points. I don't benchmark my PC every time something new comes out. Single percentage point differences in performance only ruffle the feathers of those that don't care about daily use. If you have a race car, do you compare that to your daily driver? Do you expect your Honda Accord to break the 9 second quarter mile like your 1000HP Pontiac Firebird? If you're so worried about FPS instead of enjoying your games... perhaps opening a curtain in your basement might provide a new perspective in life.
    • Currently updating my Win10 IoT Enterprise LTSC 2021 in a VM (QEMU/KVM) on Linux. but damn, updates take forever (makes me appreciate the lightness on Linux all the more). to give you a general idea... this update finished at 37 minutes into system uptime and I would estimate updates have been running roughly 20-30 minutes (some of this would be download time, but even subtracting that I would guess that 20-30min is close). granted, I only got two cores of my four core CPU (i5-3550) dedicated to the VM. but still, Linux wipes the floor with Windows in this regard.
    • It's disgusting that this exists and is being marketed by Neowin as a way to earn passive income. Support real writers and real arts. The world needs them more than ever. After at least 10 years, Neowin can GTFO my favorites bar.
    • It doesn't have to be "interesting" for a script/bot to just copy everything it finds and rehost it on another site. I hope you remember your post when AGI replaces not only your job and your career, but you entirely in the workforce...
  • Recent Achievements

    • Reacting Well
      rshit earned a badge
      Reacting Well
    • Reacting Well
      Alan- earned a badge
      Reacting Well
    • Week One Done
      IAMFLUXX earned a badge
      Week One Done
    • One Month Later
      Æhund earned a badge
      One Month Later
    • One Month Later
      CoolRaoul earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      531
    2. 2
      ATLien_0
      272
    3. 3
      +FloatingFatMan
      211
    4. 4
      +Edouard
      202
    5. 5
      snowy owl
      140
  • Tell a friend

    Love Neowin? Tell a friend!