Practically, all present applications use usernames and passwords to allow the access to systems.
Is also known that that information is of the most coveted by the informatic attackers. We as systems developers , have the moral obligation (and sometimes legal obligation too)to protect our users’ information. Previously, it was very common to find the data stored in flat text fields “UserName” and “Password” – the worst design in information security:

An attacker who managed to obtain access to the data, could easily enter the system using another user’s identity. Nowadays, with the improvements in legislation and design of security in systems, it’s common to encrypt the password; so, if an attacker managed to get the information, he could not decipher the obtained data. Using MD5 to encrypt the sample data, we would have Password=MD5(password):

Pretty much impossible to decipher, right? Totally false… With the sophistication of the informatic attacks, nowadays a simple hash function to encrypt information as delicate as passwords is insufficient. Why? Most of the users choose passwords little less than safe(names, directions, dates, common words , even the username itself), only giving the attacker with access to the DB the hassle of a encrypted known word attack to get some passwords. In order to ease the work, the attacker could scan the passwords’ hash and detect repeated information. Centering his/her attention in those records with a known word attack. That is to say, if there were 10 users who use the word “password” as password, there would be 10 records in the DB with the value of “5f4dcc3b5aa765d61d8327deb882cf99″ (like johndoe and johnsmith in our example). And also, if there are several records with the same value, that is for sure a well-known word (how many people uses the company’s name as password for the Intranet)

Salting

To mitigate this danger, there is a technique called “Password Salting”. This technique consists of adding extra information relative to each user before encrypting the password. Then, when applying the hash function, the result is unique(*) for each user. In our example we will use the extra information in ID_User, getting Password=MD5 (password + ID_User):

* “unique” in terms of our DB. It is known that MD5, having a finite number of outputs and an infinite number of inputs, has many hash string collisions . Nevertheless, for our practical example of user/password, we will allways get unique results.
With this method, we now see that we won’t find identical stored data, making the attack more difficult. Let us remember that no method is infallible and no system is inviolable, but taking actions as the one suggested here lessen the risks that we have in users’ data storage.
In the following article we’ll check password salting on the user’s side. As we know, the weakest link in security is the user, but with a little education from sys admins and responsibility on the part of the user, we can obtain an acceptable level of security. For the users, the article will try to improve your passwords used to access systems and to avoid that your information is accessed by unauthorized people.
Cheers!

It seems that project delays aren’t exclusive of real projects even contests must be “rescheduled” for completion

Dear contestant We appreciate your suscription in the “Microsoft Expression Awards 2007″ contest . We’ve heard your petitions and we decided to extend the contest’s deadline to june 22nd, 2007 giving the chance to all contestants to finish and improve satisfactorily their projects. We are aware of the complexity of the requirements to cover, as it’s stated in the terms and conditions, i). You can check them in the contest’s website: http://www.expressionawardslatam2007.com/default.asp?idioma=la We invite you to take advantage of this unique oportunity to participate and win great prizes. Don’t wait any more and start using “Expression Web” to build your project. We also remind you that we have a forum where you can post any question or comment related to this contest or the “Expression” Tools. Good luck! Luis Fuentes Visual Studio and Expression Manager Microsoft Latinoamérica

Today I went to the MSDN event ASP.NET AJAX and CardSpace in Edwards Cinema @ Mira Mesa, CA.
For my surprise, this time Anand Iyer wasn’t there, but Michele Leroux Bustamante – a very nice change IMHO- along with Lynn Langit .
As always, I was asleep in the beginning. But it was more because of Lorena that didn’t let me sleep last night (she decided that 1 AM was a very good time to ask for a bottle and play for almost an hour).
The security session was really interesting, even thou “new” from Microsoft, as usually, means it’s been existing for years. It was focused on CardSpace, the new Microsoft’s Identity Administrator.
The sections where we suposedly would see AJAX, where hurried. Given that the first section was prolonged, we didn’t have enough time for that.
This is the link for the event’s resources just in case you want to check them out:

CardSpace/AJAX Presentation resources

I was one of those days, thinking about the phrase Carpe Diem and its meaning, when it came to my mind something about technology and the little we know how to use techology, even though the great technological advances we have on hand.
We have the classic example in the Guidance Computer used to land Apollo XI on the moon back on 1969. It had a 2.048 Mhz processor (yes, two pont o’forty eight megahertz), 4K RAM memory with 16 bits long word, and an instruction set of 3 bits. And what’s the configuration of the computer you are using right now? I bet it’s at least a Celeron 1Ghz with 256Mb in RAM, 32bit instruction set and lots of fancy things… thousands of times more powerful than the the AGC that guided the Apollo XI to the moon. And how many times have you ever landed on the moon… in reality?
So be it… let this be an attempt to make a better use of the technology we have available…
Sugestions? Complaints? Welcome…

Here I am again. Starting with new projects and a new stage in publishing.
Now, I want to have a place to put my projects, experiences and ideas that I have, so you will see code, evens, pics and all stuff related to technology that I learn and develop.
So I hope this gets better and you may learn a little, and I learn from you too.
Best regards.