locked
Need Salted MD5 technique for login RRS feed

  • Question

  • User1052662409 posted

    Hi all,

           I need the following methods for login module and reset-password module.

          a) Salted MD5 technique in "authentication or login module‟ and
         b) MD5 hash technique in "reset password‟ modules.

    and how it should work, I write the description below.

    When a client requests for the login page, the server should generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated.

    Any reference any link which does the same.

    Thanks

    Friday, August 22, 2014 1:19 AM

Answers

  • User-821857111 posted

    But my auditor says

     "Implementing SSL is not the solution"

    Sorry, but if SSL is not the solution, I don't understand the problem you are trying to solve. Hashing passwords in client-side code will prevent anyone knowing what the password is, but that's no use as your server code isn't expecting the password - it's expecting a hash. The hash is as easy to obtain as a password unless it is being transmitted over a secure connection. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, August 22, 2014 3:48 AM
  • User-760709272 posted

    Now what to do?

    Find an auditor that actually understands security.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, August 22, 2014 3:55 AM
  • User-821857111 posted

    Mikesdotnetting

    Use SSL and the Crypto helper class as you have been advised before.

    yes I'll, but what about client side ?

    If you use SSL, you do not need to worry about obfuscating the password value in client side code.

    I'm sorry, but I agree with AidyF. Your auditor is just plain wrong.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, August 23, 2014 1:38 PM

All replies

  • User-821857111 posted

    MD5 is a broken algorithm. You shouldn't use it to encrypt sensitive data such as passwords

    http://threatpost.com/microsoft-starts-countdown-on-eliminating-md5/101994

    Friday, August 22, 2014 2:01 AM
  • User1052662409 posted

    You are right sir,

                                  Actually the problem is that the security audit of my web application being done. I never gone through this before. I used MD5 technique (but not salted MD5) in my code file not on the client side.

    But my auditor says

     "Implementing SSL is not the solution. Kindly implement proper salting technique so that the password is not passed in clear text."

    Now what to do? I have to implement this all as the auditor suggested.

    Friday, August 22, 2014 2:04 AM
  • User-821857111 posted

    But my auditor says

     "Implementing SSL is not the solution"

    Sorry, but if SSL is not the solution, I don't understand the problem you are trying to solve. Hashing passwords in client-side code will prevent anyone knowing what the password is, but that's no use as your server code isn't expecting the password - it's expecting a hash. The hash is as easy to obtain as a password unless it is being transmitted over a secure connection. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, August 22, 2014 3:48 AM
  • User-760709272 posted

    Now what to do?

    Find an auditor that actually understands security.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, August 22, 2014 3:55 AM
  • User1052662409 posted

    Thanks to both of you AidyF Sir and Mike Sir... now I asked to some one to tell me how to do this. Then He gave me a md5.js file and a codefile code

    string password=FormsAuthentication.HashPasswordForStoringInConfigFile(passvalue, "md5").ToString();
    

    and said that call this java script file on button click and put this c# code for server.

    I request both of you, if you could please help me out to do this in the way I asked.

    Or any other technique so that password should be like (Salt +MD5) on both side client and server as well.

    I'll be very thankful. Smile

    Friday, August 22, 2014 7:19 AM
  • User-821857111 posted

    FormsAuthentication.HashPasswordForStoringInConfigFile

    http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.hashpasswordforstoringinconfigfile(v=vs.110).aspx

    Note: This API is now obsolete.

    It's impossible to help you without knowing what methods/functions this md5.js file exposes. Also, are you storing passwords in the database in plain text?

    Friday, August 22, 2014 7:51 AM
  • User1779161005 posted

    ASP.NET provides an API to protect passwords:

    http://brockallen.com/2012/10/19/password-management-made-easy-in-asp-net-with-the-crypto-api/

    Friday, August 22, 2014 9:24 AM
  • User1052662409 posted

    I didn't use any client side method. Please suggest me any method which can save me from both side client side and server side.

    Mikesdotnetting

    It's impossible to help you without knowing what methods/functions this md5.js file exposes. Also, are you storing passwords in the database in plain text?

    I am using the below method

                    MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider();
                    byte[] hashedDataBytes;
                    UTF8Encoding encoder = new UTF8Encoding();
                    hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(txtPassword.Text));
    
                    #endregion
    
                    SqlCommand com11 = new SqlCommand("For_Login1", con);
                    com11.CommandType = CommandType.StoredProcedure;
                    com11.Parameters.AddWithValue("@User_Id", ddl.SelectedItem.Text);
                    com11.Parameters.AddWithValue("@Password", hashedDataBytes);
                    SqlDataAdapter sda = new SqlDataAdapter(com11);
                    DataTable dtcheck = new DataTable();
                    sda.Fill(dtcheck);
                    if (dtcheck.Rows.Count > 0)
                    {
                   
    
                        
                        Session["uid"] = dtcheck.Rows[0]["User_Id"].ToString();
                        Session["uname"] = dtcheck.Rows[0]["User_Id"].ToString();
                        Session["logintime"] = DateTime.Now;
                        string logintime = Session["logintime"].ToString();
    

    how to implement this technique.

    what should I do so that auditor/ anyuser can't read my password(both client side and server side as well)

    I'd be very thankful to you.

    Friday, August 22, 2014 12:38 PM
  • User-821857111 posted

    what should I do so that auditor/ anyuser can't read my password(both client side and server side as well)

    Use SSL and the Crypto helper class as you have been advised before.

    Friday, August 22, 2014 2:19 PM
  • User1052662409 posted

    Use SSL and the Crypto helper class as you have been advised before.

    yes I'll, but what about client side ?

    Friday, August 22, 2014 10:49 PM
  • User-821857111 posted

    Mikesdotnetting

    Use SSL and the Crypto helper class as you have been advised before.

    yes I'll, but what about client side ?

    If you use SSL, you do not need to worry about obfuscating the password value in client side code.

    I'm sorry, but I agree with AidyF. Your auditor is just plain wrong.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, August 23, 2014 1:38 PM