Just How Hard is it to Brute Force Attack Encrypted Keys?

Microsoft, Programming, Visual Studio No Comments

In today’s post Jeff Atwood from coding horror examines just how hard it is to brute force attack an encrypted key.

So how hard is it? Jeff quotes Jon Callas, the CTO of PGP corporation:

Imagine a computer that is the size of a grain of sand that can test
keys against some encrypted data. Also imagine that it can test a key
in the amount of time it takes light to cross it. Then consider a
cluster of these computers, so many that if you covered the earth with
them, they would cover the whole planet to the height of 1 meter. The
cluster of computers would crack a 128-bit key on average in 1,000

That is a staggering number. Imagine the difficulty of brute force attacking a 256-bit encrypted key!
He goes on to offer several other quotes, and analogies which really put the difficulty into perspective.

This leads me to another point I would like to make. Always encrypt passwords in a database. Except in extremely rare circumstances there is no reason to store user passwords in plain text. If the user forgets their password it is trivial to generate a new password for them, and store a 1-way hash of the new password in the database. When the user logs in, simply 1-way hash the password they entered (with the same algorithm) and compare the hash to the one stored in the database.

For security, user passwords should never be recoverable, even by administrators. This not only prevents a rouge employee from retrieving a list of all usernames and passwords in the system, but also protects against SQL injection attacks if you make a mistake securing you forms based authentication system.

Below is an example of a simple string in C#:

using System.Web.Security.FormsAuthentication;

private string HashPassword (string password2hash)
//hash password
string hashedpassword=
password2hash, “sha1”); return hashedpassword;

For a greater level of security, I recommend using a salted-hash, which
appends a number of random characters to a string prior to hashing.
This method will also prevent potential dictionary attacks. For those interested, David Hayden provides a simple method for adding a salt to hashes.

I highly recommend reading the blog posts by Jeff Atwood and David Hayden for more information of this subject.

Why do web designers test with multiple browsers?

Programming, Tech, Web No Comments

Related to my post yesterday, friends and family members often ask me why I recommend Firefox as their primary browser. I am frequently asked questions like, “What’s wrong with Internet Explorer?” Despite the fact that alternative browsers are gaining market share, the vast majority of users still use IE, simply because they don’t feel they are advanced enough to use something else.

In addition to the added security and features, I use Firefox for one other very important reason. Believe it or not, other programmers have actually asked me why I test webpages in multiple browsers! I know this is hard to believe, but the logic is that since the overwhelming majority still uses Internet Explorer, why worry about the last 10%. Obviously there are flaws in this logic which brings me to the other important reason I use Firefox. Standards Compliance.

While, no browser is fully standard compliant, Firefox and Opera are much closer than IE6. Microsoft promises that IE7 will be more standards compliant, actually stating that some pages hacked to work with IE6 will have to be rewritten/fixed to work with IE7. Thankfully, as an ASP.NET developer, I was delighted to hear that ASP.NET 2.0 produces standards compliant code!

The problem is, writing code for IE6 is a bit like Black Magic. It will cause a programmer to rip their hair out, which I will use as an excuse for my receding hairline :). Therefore supporting standards compliance is the battle cry of most web designers.

This brings me to this hilarious, yet truthful graph from Poisoned Minds which shows how web designers divide their time.

Web Design Time Pie Chart

*Note: I have slightly modified the image to keep the site family-friendly.

Internet Explorer 7 Beta 3 for Windows XP & Opera 9 Now Available

Programming, Tech, Web No Comments

Firefox, Internet Explorer, OperaAlthough I primarily use and recommend Mozilla Firefox due to its wonderful extension support, I thought I would take a moment to discuss other browsers.

Microsoft Internet Explorer Team has officially released Internet Explorer Beta 3 for Windows XP.
If you refuse to use any browser other than IE, or if you absolutely need IE specific technologies such as ActiveX, I highly recommend giving IE7 Beta 3 a try. Security has been greatly improved, and the interface is growing on me, although slowly. The tab support works well, and the browser seems quite speedy and responsive.

In other news Opera has released Version 9 of their web browser. I must say, I am really impressed with the newest version of Opera. Although it lacks the vast extension support of Firefox, the browser it self is very, very, good. It is speedy, lightweight, and stable. Version 9 sports an impressive list of features including support for the holy grail of CSS compliance: Acid2.

Although I will likely stick with Firefox on the desktop because of its extension and plug-in support, I think Opera is an excellent browser for alternative platforms. Opera Mini and Opera Mobile are available for mobile phones and PDAs. If you are still using Pocket Internet Explorer, give Opera a try. Also, Opera and Nintendo have announced that the Nintendo DS and the next-generation Nintendo Wii Console will use the Opera Web browser. I think this is an excellent move for both companies. Nintendo will get a very functional, light weight browser. Opera will gain a large chunk of market share. This is a win-win for not only the companies, but standards compliance and webpage compatibility.

Of course, I suggest all web developers have Opera, Internet Explorer 6 and 7, and Firefox installed for testing purposes.

Visual Studio 2005 and SQL Server 2005 Express Editions Set Free!

Microsoft, Programming, SQL Server, Visual Studio No Comments

Visual Studio and Sql Server ExpressMicrosoft has announced that Visual Studio 2005 and SQL Server 2005 Express Editions will remain free permenantly.

Initially, Microsoft was promotionally offering the Express Editions of Visual Studio 2005 and SQL Server 2005 free for 1-year to spur development, with plans to charge $49 for them begining in November 2006.

Microsoft has now changed these plans, and the Express Editions will remain free forever.

This Infoworld Article details Microsoft’s change of plans:

“Citing 5 million downloads since November,
Microsoft has cancelled plans to begin charging for its Visual Studio
2005 Express products, which feature abbreviated developer tools for
hobbyists, beginners, and students. The plan had been to price the
products at $49 beginning in November 2006. Thus far, they have been
available at no charge.”

This is great news for the development community as a whole and a smart move for Microsoft. This will continue to spur the adoption of the .NET 2.0 Framework, and will provide provide a wealth of applications and tools for windows users.

If you haven’t already, and have been wanting to begin development with .NET 2.0 Download the Express Editions Today!

Microsoft Atlas AJAX Server Control Toolkit Released!

Microsoft, Programming, Visual Studio No Comments

Microsoft AtlasMicrosoft has released the April CTP of the Atlas an ASP.NET 2.0 AJAX implementation framework.

As if that is not exciting enough, Microsoft has also released the Atlas Server Controls Toolkit!

I have been playing around with the toolkit for the last hour and all I can saw is: “WOW!”

The toolkit comes with the following pre-built ASP.NET 2.0 AJAX server controls extenders:

The toolkit also contains Atlas extender templates for creating your own AJAX server control extenders!

Grab your copy now!

Build .NET 1.1 applications with Visual Stuido 2005

Microsoft, Programming, Visual Studio No Comments

Another intersting tool for .NET developers is this power toy for Visual Studio 2005 called MSBee. MSBee enables developers to build .NET 1.1 applications with Visual Studio 2005.

Should be a great tool for those of us who still have alot of .NET 1.1 code to support, but enjoy the enhancements in Visual Studio 2005.

Grab the MSBee Powertoy here.


Microsoft, Programming, Tech No Comments

Last week at the Mix ’06 Conference, Microsoft announced WPF/E, or Windows Presentation Foundation/Everywhere.

From Mike Harsh’s Blog:

what is WPF/E? It is a cross-platform, cross-browser web technology
that supports a subset of WPF XAML. WPF/E also has a friction-free
install model and the download size we’re targeting is very small. WPF/E supports programmability through javascript for tight browser
integration. The WPF/E package also contains a small, cross platform
subset of the CLR and .NET Framework that can run C# or VB.NET code. Yes, we are bringing C# programming to the Mac.”

I am absolutely thrilled by this news.
I can’t wait to write cross platform, firefox compatible rich applications in .NET!

Check out Mike Harsh’s Blog for more information.

Visual Studio 2005 IntelliSense in .skin files

Microsoft, Programming, Visual Studio No Comments

Intellisense in .Skin filesOne issue that has often irritated me in Visual Studio 2005 is that .skin files do not enjoy IntelliSense.

That is, by default.

Today, I stumbled across a solution to enable IntelliSense in .skin files.

Why on earth this is not enabled by default I will never know.

Check out Vladimir Bychkov’s Blog for instructions.

He also has a post about enabling IntelliSense in the web.config

Additional Code Snippets for C# in Visual Studio 2005

Microsoft, Programming, Visual Studio No Comments

c# Code SnippetsFor those of you unfamiliar with Code Snippets, a new feature in Visual Studio 2005, MSDN describes code snippets as:

“IntelliSense Code Snippets are reusable, task-oriented blocks of code. Visual Studio 2005 includes code snippets covering tasks ranging from creating a custom exception, to sending an e-mail message, to drawing a circle. A set of Visual Basic and Visual C# Code Snippets are included in the Visual Studio 2005 box.”

However, C# programmers were not given the complete set of Code Snippets available to our VB Compadres.

Microsoft has now corrected this issue.

Task Based Code Snippets for C# are now available from MSDN, giving C# developers the complete list of snippets available in Visual Basic. However, the installation of these snippets is a bit cumbersome.

To relieve this problem, Jeff Atwood of Coding Horror has created a registry file that will greatly simplify installation of these snippets.

Grab the new snippets or the simplified registry installer below:

You only need one of the packages above. I highly recommend Jeff Atwood’s package.


Excentrics World .NET 1.x Custom Controls are Back!!

Microsoft, Programming, Visual Studio No Comments

This is excellent news for all of us .NET 1.1 programmers
out there.
EXcentrics World
As of Friday, February 10, 2006, Microsoft has given Matt
permission to begin distributing his excellent .NET 1.x custom controls

It has been 10 long months since Matt began working at Microsoft
and was forced to remove his custom controls.

Finally, we are able to use Matt’s excellent control set in our
applications again!

Controls Include:

Head over to Excentrics World and pickup Matt’s Controls now!
Excentrics World

« Previous Entries