Just How Hard is it to Brute Force Attack Encrypted Keys?

Microsoft, Programming, Visual Studio No Comments

Hourglass
In today’s post Jeff Atwood from coding horror examines just how hard it is to brute force attack an encrypted key.

So how hard is it? Jeff quotes Jon Callas, the CTO of PGP corporation:

Imagine a computer that is the size of a grain of sand that can test
keys against some encrypted data. Also imagine that it can test a key
in the amount of time it takes light to cross it. Then consider a
cluster of these computers, so many that if you covered the earth with
them, they would cover the whole planet to the height of 1 meter. The
cluster of computers would crack a 128-bit key on average in 1,000
years.”

That is a staggering number. Imagine the difficulty of brute force attacking a 256-bit encrypted key!
He goes on to offer several other quotes, and analogies which really put the difficulty into perspective.

This leads me to another point I would like to make. Always encrypt passwords in a database. Except in extremely rare circumstances there is no reason to store user passwords in plain text. If the user forgets their password it is trivial to generate a new password for them, and store a 1-way hash of the new password in the database. When the user logs in, simply 1-way hash the password they entered (with the same algorithm) and compare the hash to the one stored in the database.

For security, user passwords should never be recoverable, even by administrators. This not only prevents a rouge employee from retrieving a list of all usernames and passwords in the system, but also protects against SQL injection attacks if you make a mistake securing you forms based authentication system.

Below is an example of a simple string in C#:

using System.Web.Security.FormsAuthentication;

private string HashPassword (string password2hash)
{
//hash password
string hashedpassword=
HashPasswordForStoringInConfigFile(
password2hash, “sha1”); return hashedpassword;
}

For a greater level of security, I recommend using a salted-hash, which
appends a number of random characters to a string prior to hashing.
This method will also prevent potential dictionary attacks. For those interested, David Hayden provides a simple method for adding a salt to hashes.

I highly recommend reading the blog posts by Jeff Atwood and David Hayden for more information of this subject.

Visual Studio 2005 and SQL Server 2005 Express Editions Set Free!

Microsoft, Programming, SQL Server, Visual Studio No Comments

Visual Studio and Sql Server ExpressMicrosoft has announced that Visual Studio 2005 and SQL Server 2005 Express Editions will remain free permenantly.

Initially, Microsoft was promotionally offering the Express Editions of Visual Studio 2005 and SQL Server 2005 free for 1-year to spur development, with plans to charge $49 for them begining in November 2006.

Microsoft has now changed these plans, and the Express Editions will remain free forever.

This Infoworld Article details Microsoft’s change of plans:

“Citing 5 million downloads since November,
Microsoft has cancelled plans to begin charging for its Visual Studio
2005 Express products, which feature abbreviated developer tools for
hobbyists, beginners, and students. The plan had been to price the
products at $49 beginning in November 2006. Thus far, they have been
available at no charge.”

This is great news for the development community as a whole and a smart move for Microsoft. This will continue to spur the adoption of the .NET 2.0 Framework, and will provide provide a wealth of applications and tools for windows users.

If you haven’t already, and have been wanting to begin development with .NET 2.0 Download the Express Editions Today!

Microsoft Atlas AJAX Server Control Toolkit Released!

Microsoft, Programming, Visual Studio No Comments

Microsoft AtlasMicrosoft has released the April CTP of the Atlas an ASP.NET 2.0 AJAX implementation framework.

As if that is not exciting enough, Microsoft has also released the Atlas Server Controls Toolkit!

I have been playing around with the toolkit for the last hour and all I can saw is: “WOW!”

The toolkit comes with the following pre-built ASP.NET 2.0 AJAX server controls extenders:

The toolkit also contains Atlas extender templates for creating your own AJAX server control extenders!

Grab your copy now!

Build .NET 1.1 applications with Visual Stuido 2005

Microsoft, Programming, Visual Studio No Comments

Another intersting tool for .NET developers is this power toy for Visual Studio 2005 called MSBee. MSBee enables developers to build .NET 1.1 applications with Visual Studio 2005.

Should be a great tool for those of us who still have alot of .NET 1.1 code to support, but enjoy the enhancements in Visual Studio 2005.

Grab the MSBee Powertoy here.

Visual Studio 2005 IntelliSense in .skin files

Microsoft, Programming, Visual Studio No Comments

Intellisense in .Skin filesOne issue that has often irritated me in Visual Studio 2005 is that .skin files do not enjoy IntelliSense.

That is, by default.

Today, I stumbled across a solution to enable IntelliSense in .skin files.

Why on earth this is not enabled by default I will never know.

Check out Vladimir Bychkov’s Blog for instructions.

He also has a post about enabling IntelliSense in the web.config

Additional Code Snippets for C# in Visual Studio 2005

Microsoft, Programming, Visual Studio No Comments

c# Code SnippetsFor those of you unfamiliar with Code Snippets, a new feature in Visual Studio 2005, MSDN describes code snippets as:

“IntelliSense Code Snippets are reusable, task-oriented blocks of code. Visual Studio 2005 includes code snippets covering tasks ranging from creating a custom exception, to sending an e-mail message, to drawing a circle. A set of Visual Basic and Visual C# Code Snippets are included in the Visual Studio 2005 box.”

However, C# programmers were not given the complete set of Code Snippets available to our VB Compadres.

Microsoft has now corrected this issue.

Task Based Code Snippets for C# are now available from MSDN, giving C# developers the complete list of snippets available in Visual Basic. However, the installation of these snippets is a bit cumbersome.

To relieve this problem, Jeff Atwood of Coding Horror has created a registry file that will greatly simplify installation of these snippets.

Grab the new snippets or the simplified registry installer below:

You only need one of the packages above. I highly recommend Jeff Atwood’s package.

Dave

Excentrics World .NET 1.x Custom Controls are Back!!

Microsoft, Programming, Visual Studio No Comments

This is excellent news for all of us .NET 1.1 programmers
out there.
EXcentrics World
As of Friday, February 10, 2006, Microsoft has given Matt
Hawley
permission to begin distributing his excellent .NET 1.x custom controls
again!

It has been 10 long months since Matt began working at Microsoft
and was forced to remove his custom controls.

Finally, we are able to use Matt’s excellent control set in our
applications again!

Controls Include:

Head over to Excentrics World and pickup Matt’s Controls now!
Excentrics World

Download Visual Studio 2005 Express Editions today….. FOR FREE!

Microsoft, Programming, Visual Studio No Comments

Microsoft has released Visual Studio 2005 and SQL Server 2005 as of November 4th.
They have also released lite versions of Visual Studio and SQL Server which they are calling “Express Editions”.
The Express Editions are totally free if downloaded before next year.
Grab them today!
Download Now