Chris Gomez

Development topics for the indie programmer

Store passwords the right way in ASP.NET

Code Download: Hash Winforms project (10 kb)

The web attacks against sites like Gawker, the Sony Playstation Network, various Sony sites, and even the FBI-affiliated Infragard made some big headlines.  Just this month, Anonymous has released passwords of BART officers online.

My frustration with these attacks was how quickly the attackers were able to post credentials online of the users.  This should have taken much longer and quite possibly been impossible to accomplish, even with stolen data.

Your users, whether they should be or not, might be using the same user name and password on several key sites like Facebook, Twitter, their bank (checking or credit card), or a government site.  Maybe your state’s DMV is creating user accounts now and someone could request a new ID card using the name and password reused on a simple blog.

Defense In Depth

This post and the follow-ups do not claim to be the end-all last word on web site security.  It is merely the beginning.  I am going to take a small piece of this larger world and explore it with you.  Do not think this is the end of the story.  You should be defending your servers, your databases, and your code using all means appropriate for your needs.

Today’s Example and Assumptions

So for purposes of today’s story, we are going to assume the database with all of your user’s login credentials (username and password) has been copied and stolen.  I’m going to use this as an assumption because, just in the last year, we’re seeing passwords recovered again and again so the raw data is being stolen.

The thief is now staring at your database in, let’s say, SQL Server Management Studio.  Do you want the thief to see this?

plaintext database

More...

Philly.Net Users Group – Code and Slides

I spoke at the Philly.Net User Group in June and I want to thank the group for hosting me and for the enthusiasm from the folks who came to see how to build games using XNA.

I had some problems with my web server and provider so I’ve had to do some rebuilding here at my blog.  But here is where you can find the code and slides for the game we made during the meeting.

Code and Slides on SkyDrive

Public Github Repository

We now know that XNA will be one of the supported development frameworks for Windows Phone 8.  It won’t just be that old Windows Phone 7 SDK games will be supported. The new SDK will have XNA games as a supported project type.