It's not a secret that an application requires security for User and Password that is used. The secret is probably not known is how the password can be maintained and stored safely.
A password should not be stored in the database as a string, preferably, is changed to a value that is not easily recognizable and unique. The value is called a hash. Hashing algorithm is given for each string in the hash into a unique value will always be in the form of hash.
When the user provides a password, the password should be hashed into a unique value, and unique value which should be stored in the database. When users log in using passwords, the password can be hashed again using the same algorithm, the value of the results can be compared with the hash value stored in the database for login validation.
A password should not be stored in the database as a string, preferably, is changed to a value that is not easily recognizable and unique. The value is called a hash. Hashing algorithm is given for each string in the hash into a unique value will always be in the form of hash.
When the user provides a password, the password should be hashed into a unique value, and unique value which should be stored in the database. When users log in using passwords, the password can be hashed again using the same algorithm, the value of the results can be compared with the hash value stored in the database for login validation.
The value that has been in the hash can not be un-hashed, so there's no way to obtain the original password from the hash value already. This method provides additional security level, because, if someone took the password that was in the hash from the database, the password can not be changed back to its original format. The risk is that, if the user forget the password, new password will be given.
Library System.Security.Cryptography in. NET Framework provides several classes that provide the hash. Two hashing scheme provided in this library are:
Library System.Security.Cryptography in. NET Framework provides several classes that provide the hash. Two hashing scheme provided in this library are:
1. MD5: Message Digest 5 (MD5). Using the MD5 algorithm to hash to a value, such as passwords. This algorithm provides better performance than SHA1.
2. SHA1: Secure Hash Algorithm-1 (SHA1). SHA1 algorithm for his hash a value, such as passwords. This algorithm provides better data security than MD5.
A password, for example: "password" will have a hash that will look like: W6ph5Mm5Pz8GgiULbPgzG37mj9g =.
The following code uses SHA1 algorithm to hash to a password:
See The Code :
2. SHA1: Secure Hash Algorithm-1 (SHA1). SHA1 algorithm for his hash a value, such as passwords. This algorithm provides better data security than MD5.
A password, for example: "password" will have a hash that will look like: W6ph5Mm5Pz8GgiULbPgzG37mj9g =.
The following code uses SHA1 algorithm to hash to a password:
See The Code :
using System.Security.Cryptography;We can use the above code on each application to store a password or other important information.
public static String ComputeHash(string textToHash)
{
SHA1CryptoServiceProvider SHA1 = new SHA1CryptoServiceProvider();
byte[] byteValue = System.Text.Encoding.UTF8.GetBytes(textToHash);
byte[] byteHash = SHA1.ComputeHash(byteValue);
SHA1.Clear();
return Convert.ToBase64String(byteHash);
}
But hash the password can not protect applications from a Dictionary Attack. To improve security, the password salt,
Salting passwords
Password that has been hashed to provide better security than storing passwords in the database as text. Hash - still has a weakness when attacked using a Dictionary Attack. Using a Dictionary Attack, a cracker trying guess passwords by using software to look for patterns the same hash of all words in a dictionary word that is prepared and comparing the obtained hash value with the hash value contained in the database.
To complicate the work of these crackers, we can add some random bytes at the beginning and / or end of the password before hashing and storing process. Random byte is called salt. Then we can save the value of this salt into the table along with a password.
To complicate the work of these crackers, we can add some random bytes at the beginning and / or end of the password before hashing and storing process. Random byte is called salt. Then we can save the value of this salt into the table along with a password.
See The Code :
public static String ComputeSalt()By using 2 techniques hash and salt, we can minimize the possibility of unauthorized access into our application.
{
System.Guid GuidValue = System.Guid.NewGuid();
return GuidValue.ToString();
}
Validate Login
The codes in the following sections will try to unify all the above concepts to demonstrate a method ValidasiLogin. This method uses salt and hash technique as described previously.
See The Code :
public bool ValidasiLogin(string sUserName, string sPassword)This method takes the username and password are entered as parameters, if the parameter is empty, the code will display an error message. Username then be forwarded to the Retrieve method, which will receive a dataset from the database that have data of the user that is logged. The code will give an error if the dataset is empty.
{
DataSet dsUser;
if (sUserName.Length == 0 || sPassword.Length == 0)
{
throw new ArgumentOutOfRangeException("Username dan Password diperlukan.");
}
dsUser = this.Retrieve(sUserName);
// Jika User tidak ditemukan, tampilkan pesan error
if (dsUser == null || dsUser.Tables[TN_USER] == null
|| dsUser.Tables[TN_USER].Rows.Count == 0)
{
throw new UsernameNotFoundException("Invalid Username");
}
DataRow dr = dsUser.Tables[TN_USER].Rows[0];
string sPasswordEncoded = dr[FN_PASSWORD_ENCODED].ToString();
string sPasswordSalt = dr[FN_PASSWORD_SALT].ToString();
string sPasswordHash = SecurityUtility.ComputeHash(sPasswordSalt +
sPassword);
if (String.Compare(sPasswordEncoded, sPasswordHash) != 0)
{
throw new PasswordInvalidException("Invalid Password");
}
return true;
}
Salt is received from the dataset and added to the password entered by the user. The result is passed to the method ComputeHash to calculate the hash value. From these results will then be compared with the hash value received from the dataset. The code will give an error message if the two hash values do not match.
Finally, you can use this method as a pattern in the validation of your application login to safeguard and restrict access to illegal access into your application.
0 comments on Security Access to Log in C # Visual Studio :
Post a Comment and Don't Spam!
Dont Spam please