Salting your hash and WSE UsernameTokens

After to some research on securing WSE methods, I noticed there seems to be much confusion on how to hash clear password in such a way to make it work with PasswordOption.SendHashed and PasswordOption.SendPlainText when attaching a UsernameToken to the Soap request.  Moreover, how to store your passwords in your database with salt that will also allow your derived UsernameTokenManager class to verify salted password correctly.  There is many blogs going on with different solutions and some dead ends.  The common goal seems to be to be able to store a hash of the password plus salt and have that hash be verifiable by the UsernameTokenManager.AuthenticateToken method.  This is a good idea and is a popular way many Unix and other systems approach the problem.

The idea is simple.  We don’t want to store plain text password in our database (i.e. SQL, text file, other) for obvious reasons.  So one approach is to hash the password with something like SHA1 (I will use SHA1 as my hashing algorithm going forward) and store that.  That is better then nothing, but is only slightly better then plain text.  This is because it is still relatively easy to run a dictionary attack against the database if the DB is ever made public via “inside job”, accident, or poor security policies.  A hacker that has a DB of already hashed passwords can just run down your user list and compare the user pw hash in the DB against all hashes in his DB.  When a match is found, he has the password for that account and any other account that used the same password.  A popular way to defend against this attack has been to “salt” the password with a unique string before the hash. A unique salt is generated for each user when the account is created and stored with user record (more on this latter.)  The password and salt are concatenated together and then hashed to create a verifier such that:

v = SHA1(password + salt) 

As we now have our “v” in the database.  So our DB may look something like:

UserName   Salt                 Verifier
staceyw     12WEe#$%     asdf435rkj19-sdflkj
gatesb       @#$444@#9   234-8fs;jx;k234-;jsfd

Now a client can sent us a v, instead of a clear password, and we can compare to our local copy of v to see if they match.  If so, the sender must have known the salt and the password to produce the same hash value.  This is still not bullet proof as a hacker can still run a dictionary attack.  However it is more work and will not work with a pre-built hash-dictionary because we added the salt.  That said, he can still run a dictionary attack as he will have the salt or may know how to compute the salt we used.  So all he needs to do is run down the list of words in his database and calculate a new hash or “v”.  This loop continues until a match is found or he runs out of dictionary words.  ( See “Create our own Cracker” in future blog to see how this could be done. )

So using *unique salt for each user makes the verifier unique for each password even if two password are the same.  It also makes it harder to run a standard dictionary attack.  This gives us pretty good protection especially if the DB is secured and the password policy is robust.

Back to how this fits with WSE and UsernameToken.  WSE allows us to attach a UsernameToken to each soap request.  Among other fields, the UsernameToken contains the UserName string and the password.  It also allows you to specify a enum of PasswordOption.SendHashed, PasswordOption.SendPlainText, or PassworOption.SendNone.  I will ignore SendNone for this discussion.  PasswordOption.SendPlainText does what is says and will send the password as entered in the constructor.  Password.SendHashed will hash the password together with an Nonce and the Created DateTime of the object.  The resulting hash, or digest, is what is sent in the UsernameToken in the Soap header.  An important point is the that the password string returned from AuthenticateToken() *must match the password string that was passed into the UsernameToken constructor.  The string need not be the clear user password, it just needs to match.  Because our “v” is SHA1(password + salt); v is what we want return in AuthenticateToken().  However, that means “v” needs to be passed to the UsernameToken constructor at the client side.  That means the client must know the salt before hand.

This brings us back to salt.  We could ask the server for our user salt in a prior call.  That is not bad as it only needs to be done once, but it is another call.  There is an easier option.  If we look harder, we realize that it does not matter what the salt is, only that it is unique per user and both side know what it is.  Therefore, as both sides know the username, both sides could dynamically create a salt using something like .Net’s PasswordDeriveBytes class.  We could define a salt generator like:

internal static string GetSalt(string userName)
{
      if ( userName == null )
            throw new ArgumentNullException("userName");

      PasswordDeriveBytes pdb = new PasswordDeriveBytes(userName, null);
      pdb.IterationCount = 1000;
      pdb.HashName = "SHA1";
      byte[] saltBytes = pdb.GetBytes(10);
      return Convert.ToBase64String(saltBytes);
}

This has a few side benefits such as we don’t need to store the salt in the DB any longer and we save a column of data.  Basically, less data to store and manage.  This does not decrease security as salt is not intended to be secret information anyway.  In fact, it is normal (and sometimes required) for salt to be passed around in clear text.  The same salt generator will be used when the account is created at the server and at the client when it creates “v”.

The method above will also work whether you choose PasswordOption.SendPlainText or PasswordOption.SendHashed.  You only need to change the enum at the client and our protocol will work either way.  This is because the UsernameTokenManager will handle the hashing for us automatically.  Remember, we just need to return the same string that was set in the UsernameToken constructor.  As we always only return “v” (or null if user not found, etc), it works either way.  Naturally, we would rather use PasswordOption.SendHashed as we get the additional hashing and the security of the Nonce for free.  You might use PasswordOption.SendPlainText if you wanted to encrypt the password before setting in the UsernameToken constructor at client side.  Your AuthenticateToken() method would then just decrypt the password to verify (e.g. using LoginUser()) and then return the encrypted version of the password so UsernameTokenManager will see they match.

Note:  Using hashes is still very vulnerable to dictionary attacks (even if using SendHashed).  If you can’t count on users using very strong passwords, then I would not use hashes but crypto instead and send the cipher password using SendPlainText.  See Crack your WSE SendHashed Passwords for more info.

Shortly, I will post a way to use SRP (RFC 2945) that can add even better security to your web methods/UsernameTokens.

That is about it.  As this post went longer then expected, I will post a complete C# implementation in another blog.  I only wish MSN Spaces allowed attaching Zip files as I could post actual projects.

Happy Hashing…


William Stacey [MVP]

Advertisements
This entry was posted in C#. Bookmark the permalink.

10 Responses to Salting your hash and WSE UsernameTokens

  1. Unknown says:

    http://www.batteryfast.co.uk/acer/as07b31.htm Acer as07b31 Battery http://www.batteryfast.co.uk/acer/as07b32.htm Acer as07b32 Battery http://www.batteryfast.co.uk/acer/as07b41.htm Acer as07b41 Battery http://www.batteryfast.co.uk/acer/as07b42.htm Acer as07b42 Battery http://www.batteryfast.co.uk/acer/aspire-5520.htm Acer aspire 5520 Battery http://www.batteryfast.co.uk/acer/aspire-5920.htm Acer aspire 5920 Battery http://www.batteryfast.co.uk/acer/batbl50l6.htm Acer batbl50l6 Battery http://www.batteryfast.co.uk/apple/15-inch-macbook-pro.htm Apple 15 inch macbook pro Battery http://www.batteryfast.co.uk/apple/15-inch-powerbook-g4.htm Apple 15 inch powerbook g4 Battery http://www.batteryfast.co.uk/acer/travelmate-3260.htm Acer travelmate 3260 Battery http://www.batteryfast.co.uk/acer/travelmate-4200-series.htm Acer travelmate 4200 series Battery http://www.batteryfast.co.uk/acer/travelmate-4203-series.htm Acer travelmate 4203 series Battery http://www.batteryfast.co.uk/acer/travelmate-4230-series.htm Acer travelmate 4230 series Battery http://www.batteryfast.co.uk/apple/a1148.htm Apple a1148 Battery http://www.batteryfast.co.uk/apple/a1185.htm Apple a1185 Battery http://www.batteryfast.co.uk/apple/a1185-black.htm Apple a1185 black Battery http://www.batteryfast.co.uk/apple/a1185-white.htm Apple a1185 white Battery http://www.batteryfast.co.uk/asus/a42-a2.htm Asus a42-a2 Battery http://www.batteryfast.co.uk/dell/latitude-d620.htm Dell latitude d620 Battery http://www.batteryfast.co.uk/dell/latitude-d630.htm Dell latitude d630 Battery http://www.batteryfast.co.uk/dell/original-inspiron-1525.htm Dell original inspiron 1525 Battery http://www.batteryfast.co.uk/dell/latitude-d820.htm Dell latitude d820 Battery http://www.batteryfast.co.uk/dell/latitude-d830.htm Dell latitude d830 Battery http://www.batteryfast.co.uk/dell/vostro-1500.htm Dell vostro 1500 Battery http://www.batteryfast.co.uk/dell/vostro-1700.htm Dell vostro 1700 Battery http://www.batteryfast.co.uk/dell/xps-m1330.htm Dell xps m1330 Battery http://www.batteryfast.co.uk/dell/xps-m1530.htm Dell xps m1530 Battery http://www.batteryfast.co.uk/dell/d620.htm Dell d620 Battery http://www.batteryfast.co.uk/dell/d630.htm Dell d630 Battery http://www.batteryfast.co.uk/dell/d820.htm Dell d820 Battery http://www.batteryfast.co.uk/dell/d830.htm Dell d830 Battery http://www.batteryfast.co.uk/dell/inspiron-1520.htm Dell inspiron 1520 Battery http://www.batteryfast.co.uk/dell/6400.htm Dell 6400 Battery http://www.batteryfast.co.uk/dell/inspiron-1720.htm Dell inspiron 1720 Battery http://www.batteryfast.co.uk/dell/inspiron-5150.htm Dell inspiron 5150 Battery http://www.batteryfast.co.uk/dell/inspiron-6400.htm Dell inspiron 6400 Battery http://www.batteryfast.co.uk/gateway/m360.htm Gateway m360 Battery http://www.batteryfast.co.uk/gateway/m460.htm Gateway m460 Battery http://www.batteryfast.co.uk/gateway/m680.htm Gateway m680 Battery http://www.batteryfast.co.uk/gateway/squ-412.htm Gateway squ-412 Battery http://www.batteryfast.co.uk/hp/530.htm Hp 530 Battery http://www.batteryfast.co.uk/hp/dv6000.htm Hp dv6000 Battery http://www.batteryfast.co.uk/hp/dv2000.htm Hp dv2000 Battery http://www.batteryfast.co.uk/hp/hstnn-db42.htm Hp hstnn-db42 Battery http://www.batteryfast.co.uk/hp/nc6000.htm Hp nc6200 Battery

  2. Unknown says:

    http://www.batterygoshop.co.uk/hp/320912-001.htm HP Compaq Battery for NC8200 nc8230 7400 laptop battery , http://www.batterygoshop.co.uk/hp/336962-001-002-battery.htm Battery fits HP Pavilion zt3000 zt3010US 337607-001 laptop battery , http://www.batterygoshop.co.uk/hp/364602-001.htm New Battery For Compaq NX6120 NC6100 NC6120 NX6100 NC6200 laptop battery , http://www.batterygoshop.co.uk/hp/dv6000.htm New OEM HP HSTNN-DB42 DV2000 DV6000 V3000 V6000 laptop battery , http://www.batterygoshop.co.uk/hp/dv9000.htm New OEM HP HSTNN-LB33 dv9000 DV9000 dv9600 laptop battery , http://www.batterygoshop.co.uk/hp/hp510.htm laptop battery for hp 510 530 HSTNN-FB40 laptop battery , http://www.batterygoshop.co.uk/hp/hp520.htm NEW Battery for HP 500 HSTNN-FB39 434045-661 laptop battery , http://www.batterygoshop.co.uk/hp/hstnn-c16c.htm Battery fits HP Pavilion DV8000 DV8100 DV8200 laptop battery , http://www.batterygoshop.co.uk/hp/hstnn-db17.htm New Battery for HP M2000 Series DV1000 DV4000 laptop battery , http://www.batterygoshop.co.uk/hp/nc2400-battery.htm New Compaq 2510p NC2400 Laptop Extended Battery EH768AA laptop battery , http://www.batterygoshop.co.uk/hp/nc4000.htm HP NC4010 DD880A NC4000 laptop battery , http://www.batterygoshop.co.uk/hp/nc6000.htm battery for Compaq/HP NX5000 NC6000 NC8000 DG105A 4.4A laptop battery , http://www.batterygoshop.co.uk/hp/zt1000.htm New Battery For HP Pavilion ZT1000 F2299A F3172B F3172A laptop battery , http://www.batterygoshop.co.uk/sony/pcga-bp2sa-002-battery.htm grey Battery For Sony PCGA-BP2S PCGA-BP2SA VAIO PCG-SR17 NEW laptop battery , http://www.batterygoshop.co.uk/sony/pcga-bp2sa-battery.htm Battery For Sony PCGA-BP2S PCGA-BP2SA VAIO PCG-SR17 NEW black laptop battery , http://www.batterygoshop.co.uk/sony/pcga-bp2t.htm battery fits sony PCGA-BP2T PCGA-BP3T PCG-TR1/B PCG-TR2 laptop battery , http://www.batterygoshop.co.uk/sony/pcga-bp2v.htm laptop Battery for Sony PCGA-BP2V laptop battery , http://www.batterygoshop.co.uk/sony/pcg-gr100.htm Original SONY pcga-bp2e vgp-bp2ea pcg-gr100 Battery laptop battery , http://www.batterygoshop.co.uk/sony/vgp-bps2a.htm LAPTOP BATTERY SONY VAIO VGP-BPS2 VGP-BPS2B VGP-BPS2A black laptop battery , http://www.batterygoshop.co.uk/sony/vgp-bps2a-002-battery.htm 7.2ah LAPTOP BATTERY SONY VAIO VGP-BPS2 VGP-BPS2B VGP-BPS2A black laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3098u-1bas-battery.htm Battery For TOSHIBA Satellite 1200 3000 3005 PA3098U laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3209u-1brs.htm Battery for Toshiba Satellite 1100 1110 PA3209U-1BRS laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3210u-battery.htm NEW Toshiba Satellite 1115 4500mAh Battery PA3210U laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3291u-battery.htm New battery for TOSHIBA P20 P25 PA3291U-1BRS 6600mAh laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3399u.htm battery fits TOSHIBA PA3399U-1BAS PA3399U-1BRS 6600mAH laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3399u-1bas.htm Battery for Toshiba PA3399U-1BRS PA3399U-2BAS 1BAS laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3356u-1brs.htm Toshiba PA3356U-3BAS PA3356U-3BRS PA3456U-1BRS Battery laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3356u-1brs-002-battery.htm 8.8ah Battery TOSHIBA PA3356U-1BAS PA3356U-1BRS PA3356U-2BRS laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3420u.htm toshiba pa3420u-1brs l10 l15 l20 laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3421u-1brs.htm Battery for Toshiba M30X M35X M40X PA3395U-1BRS PA3421U laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3431u-1brs.htm TOSHIBA SATELLITE M65 BATTERY PA3431U-BRS PABAS068 laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3451u.htm TOSHIBA PA3451U-1BRS PABAS067 laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3465u.htm Genuine TOSHIBA PA3465U-1BRS Laptop Battery PABAS069 laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3536u-1brs-battery.htm New PA3536U Battery for Toshiba Satellite P200 P205 laptop battery , http://www.batterygoshop.co.uk/toshiba/pa3534u-1brs-battery.htm NEW Genuine Toshiba Battery Satellite PA3534U-1BRS A205 laptop battery ,

  3. Unknown says:

    http://www.batterylaptoppower.com/hp/nc2400-battery.php New Compaq 2510p NC2400 Laptop Extended Battery EH768AA http://www.batterylaptoppower.com/hp/nc4000.php HP NC4010 DD880A NC4000 http://www.batterylaptoppower.com/hp/nc6000.php battery for Compaq/HP NX5000 NC6000 NC8000 DG105A 4.4A http://www.batterylaptoppower.com/hp/zt1000.php New Battery For HP Pavilion ZT1000 F2299A F3172B F3172A http://www.batterylaptoppower.com/ibm/02k7018.php IBM THINKPAD 600 600A 600D 600E 600X 02K7018 BATTERY http://www.batterylaptoppower.com/ibm/02k7055.php Laptop Battery 02K6928 02K7055 for IBM Thinkpad R32 R40 http://www.batterylaptoppower.com/ibm/02k7072.php Laptop Battery IBM 02K7072 02K7034 ThinkPad T30 http://www.batterylaptoppower.com/ibm/41n5666.php NEW Battery for IBM/Lenovo Thinkpad t60 92P1141 http://www.batterylaptoppower.com/ibm/92p1000.php New 4.4Ah battery fits IBM Thinkpad X40 X41 92P1002 http://www.batterylaptoppower.com/mitac/8050-battery.php Battery For Packard Bell EasyNote BP-8050(P) 40006487 http://www.batterylaptoppower.com/mitac/8375.php MITAC 8375 8575 8575A 8575P LAPTOP BATTERY black http://www.batterylaptoppower.com/mitac/8375-2.php MITAC 8375 8575 8575A 8575P LAPTOP BATTERY grey http://www.batterylaptoppower.com/mitac/advent8089.php Battery For Bell BP-8089 BP-8089X BP-8389 BP-8089P http://www.batterylaptoppower.com/mitac/bp-8599.php Packard Bell Easynote F5280 Laptop Battery MYBAT9528 (CBI1010A) http://www.batterylaptoppower.com/nec/op-570-75303.php battery for NEC PC-VP-WP25 OP-570-75303 75301 http://www.batterylaptoppower.com/nec/op-570-75901.php nec pc-vp-wp44 op-570-75901 http://www.batterylaptoppower.com/sony/pcga-bp2sa-battery.php Battery For Sony PCGA-BP2S PCGA-BP2SA VAIO PCG-SR17 NEW black http://www.batterylaptoppower.com/sony/pcga-bp2t.php battery fits sony PCGA-BP2T PCGA-BP3T PCG-TR1/B PCG-TR2 http://www.batterylaptoppower.com/sony/pcga-bp2v.php laptop Battery for Sony PCGA-BP2V http://www.batterylaptoppower.com/sony/pcg-gr100.php Original SONY pcga-bp2e vgp-bp2ea pcg-gr100 Battery http://www.batterylaptoppower.com/sony/vgp-bps2a.php LAPTOP BATTERY SONY VAIO VGP-BPS2 VGP-BPS2B VGP-BPS2A black http://www.batterylaptoppower.com/sony/vgp-bps2a-002-battery.php 7.2ah LAPTOP BATTERY SONY VAIO VGP-BPS2 VGP-BPS2B VGP-BPS2A black http://www.batterylaptoppower.com/toshiba/pa2487ur.php Laptop Battery PA2487UR PA2487U for Toshiba 4000 1800 http://www.batterylaptoppower.com/toshiba/pa3062u-1bar-battery.php New Genuine Toshiba Tecra 8200 Battery PA3062U-1BAR http://www.batterylaptoppower.com/toshiba/pa3176u-1bas.php Battery For Toshiba Portege M200 M205 PA3128U PA3191U black http://www.batterylaptoppower.com/toshiba/pa3176u-1bas-2.php Battery For Toshiba Portege M200 M205 PA3128U PA3191U black http://www.batterylaptoppower.com/toshiba/pa3209u-1brs.php Battery for Toshiba Satellite 1100 1110 PA3209U-1BRS http://www.batterylaptoppower.com/toshiba/pa3210u-battery.php NEW Toshiba Satellite 1115 4500mAh Battery PA3210U http://www.batterylaptoppower.com/toshiba/pa3399u.php battery fits TOSHIBA PA3399U-1BAS PA3399U-1BRS http://www.batterylaptoppower.com/toshiba/pa3399u-1bas.php Battery for Toshiba PA3399U-1BRS PA3399U-2BAS 1BAS http://www.batterylaptoppower.com/toshiba/pa3356u-1brs.php Toshiba PA3356U-3BAS PA3356U-3BRS PA3456U-1BRS Battery http://www.batterylaptoppower.com/toshiba/pa3356u-1brs-002-battery.php 8.8ah Battery TOSHIBA PA3356U-1BAS PA3356U-1BRS PA3356U-2BRS http://www.batterylaptoppower.com/toshiba/pa3383.php Battery For PA3383 TOSHIBA Satellite PA3383U-1BRS 12cells http://www.batterylaptoppower.com/toshiba/pa3420u.php toshiba pa3420u-1brs l10 l15 l20 http://www.batterylaptoppower.com/toshiba/pa3421u-1brs.php Battery for Toshiba M30X M35X M40X PA3395U-1BRS PA3421U http://www.batterylaptoppower.com/toshiba/pa3431u-1brs.php TOSHIBA SATELLITE M65 BATTERY PA3431U-BRS PABAS068

  4. Unknown says:

    http://www.adapterlist.com/toshiba/satellite-a50.htm toshiba satellite a50 battery http://www.adapterlist.com/toshiba/satellite-a55.htm toshiba satellite a55 battery http://www.adapterlist.com/toshiba/pa3356u-1bas.htm toshiba pa3356u-1bas battery http://www.adapterlist.com/toshiba/satellite-a50.htm toshiba satellite a50 battery http://www.adapterlist.com/toshiba/satellite-a55.htm toshiba satellite a55 battery http://www.adapterlist.com/toshiba/pa3383u.htm toshiba pa3383u battery http://www.adapterlist.com/toshiba/pa3383.htm toshiba pa3383 battery http://www.adapterlist.com/toshiba/p30.htm toshiba p30 battery http://www.adapterlist.com/toshiba/a70.htm toshiba a70 battery http://www.adapterlist.com/toshiba/satellite-a70.htm toshiba satellite a70 battery http://www.adapterlist.com/toshiba/satellite-a75.htm toshiba satellite a75 battery http://www.adapterlist.com/toshiba/satellite-p30.htm toshiba satellite p30 battery http://www.adapterlist.com/toshiba/satellite-p35.htm toshiba satellite p35 battery http://www.adapterlist.com/toshiba/pa3420u.htm toshiba pa3420u battery http://www.adapterlist.com/toshiba/satellite-l10.htm toshiba satellite l10 battery http://www.adapterlist.com/toshiba/satellite-l100.htm toshiba satellite l100 battery http://www.adapterlist.com/toshiba/satellite-l15.htm toshiba satellite l15 battery http://www.adapterlist.com/toshiba/pa3395u-1brs.htm toshiba pa3395u-1brs battery http://www.adapterlist.com/toshiba/pa3421u-1brs.htm toshiba pa3421u-1brs battery http://www.adapterlist.com/toshiba/pa3431u.htm toshiba pa3431u battery http://www.adapterlist.com/toshiba/satellite-m60.htm toshiba satellite m60 battery http://www.adapterlist.com/toshiba/satellite-m65.htm toshiba satellite m65 battery http://www.adapterlist.com/toshiba/pa3451u.htm toshiba pa3451u battery http://www.adapterlist.com/toshiba/pa3457u.htm toshiba pa3457u battery http://www.adapterlist.com/toshiba/satellite-a80.htm toshiba satellite a80 battery http://www.adapterlist.com/toshiba/satellite-a85.htm toshiba satellite a85 battery http://www.adapterlist.com/toshiba/pa3465u-1brs.htm toshiba pa3465u-1brs battery http://www.adapterlist.com/toshiba/pabas069.htm toshiba pabas069 battery http://www.adapterlist.com/toshiba/pa3536u.htm toshiba pa3536u battery http://www.adapterlist.com/toshiba/satellite-x200.htm toshiba satellite x200 battery http://www.adapterlist.com/toshiba/pa3536u-1brs.htm toshiba pa3536u-1brs battery http://www.adapterlist.com/toshiba/satellite-p200.htm toshiba satellite p200 battery http://www.adapterlist.com/toshiba/satellite-p205.htm toshiba satellite p205 battery http://www.adapterlist.com/toshiba/pa3534u-1brs.htm toshiba pa3534u-1brs battery http://www.adapterlist.com/toshiba/satellite-a205.htm toshiba satellite a205 battery http://www.adapterlist.com/uniwill/255-3s4400-g1l1.htm uniwill 255-3s4400-g1l1 battery http://www.adapterlist.com/uniwill/un255.htm uniwill un255 battery http://www.adapterlist.com/uniwill/un258.htm uniwill un258 battery http://www.adapterlist.com/uniwill/258-4s4400-s1p1.htm uniwill 258-4s4400-s1p1 battery http://www.adapterlist.com/uniwill/258-4s4400-s2m1.htm uniwill 258-4s4400-s2m1 battery http://www.adapterlist.com/hp/mini-1000.htm hp mini 1000 battery http://www.adapterlist.com/acer/2420.htm acer BTP-ARJ1 2420 series http://www.adapterlist.com/acer/as07b72-battery.htm Battery Fit Aspire 5520 5920 Series AS07B72 http://www.adapterlist.com/acer/batcl50l.htm acer travelmate 290 291 29x 292 batcl50l http://www.adapterlist.com/acer/batecq60.htm acer 1800 series batecq60

  5. Unknown says:

    Serena Williams and the season of her contentwow gold,world of warcraft gold,buy wow gold,wow power leveling,cheap wow gold,world of warcraft power
    leveling,world of warcraft gold,buy wow
    gold,ffxi gil,buy
    wow gold,wow power
    leveling,ffxi gil,world
    of warcraft power leveling,sell wow gold,wow power
    level,wow gold for
    sale,power leveling,wow
    power level,wow power level,power leveling,wow gold for
    sale,buy cheap wow gold.Indian brides confront gold bears, again

  6. Unknown says:

    wow gold!All wow gold US Server 24.99$/1000G on sell! Cheap wow gold,wow gold,wow gold,Buy Cheapest/Safe/Fast WoW US EU wow gold Power leveling wow gold from the time you wWorld of Warcraft gold ordered!

    wow power leveling wow power leveling power leveling wow power leveling wow powerleveling wow power levelingcheap wow power leveling wow power leveling buy wow power leveling wow power leveling buy power leveling wow power leveling cheap power leveling wow power leveling wow power leveling wow power leveling wow powerleveling wow power leveling power leveling wow power leveling wow powerleveling wow power leveling buy rolex cheap rolex wow gold wow gold wow gold wow gold -49605357599343

  7. William says:

    "Do you meanv = SHA1(password + GetSalt(userName)), dont you ? ;-)"Doh! That fell off somehow?? I should have probably just posted the code 😉 Thanks for the spot.Cheers!–William [MVP]

  8. Softwaremaker says:

    Thanks for the upgrade ;-)DB Create User—————–v = (password + GetSalt(userName))ev = RijndaelEncrypt(secret_key, v)You do meanv = SHA1(password + GetSalt(userName)), dont you ? 😉

  9. William says:

    I see your point about the "v" being same and if the DB is stolen you would have password equiv. I can\’t help thinking this is a bit like saying PKI is no good because if you steal the private key, then you broke PKI. However, their is a small upgrade to this logic that will provide much better security.DB Create User—————–v = (password + GetSalt(userName))ev = RijndaelEncrypt(secret_key, v)Client Side————1) v = (password + GetSalt(userName))UTM——–user = db.FindUser(token.Username)if ( user == null ) return nullv = RijndaelDecrypt(secret_key, user.EV)return vThis seems to work pretty well. Also DB dictionary attacks can not be done without the secret.–William

  10. Softwaremaker says:

    Good post and great insight. However, I do have some reservations which I have posted on my blog. You can check it out here.http://www.softwaremaker.net/blog/PermaLink,guid,f97dad7f-362e-41fe-bd5f-0c6906946c69.aspx

Comments are closed.