I was doing some research for a project that I am working, where I need to chose a method of password storage and I wanted to understand the kinds of things that I need to do to reduce the attack surface of my application (or service in my case). I ran across a phenomenal web cast by Joe Stagner (Microsoft) titled: The Digital Balck Belt’s Guide to Working with Web Application Passwords.” Heck of a title, huh?
Joe does a great job in explaining some of the security issues with storing username/passwords in forms-based solutions, where we store the username and password in a custom database. Better yet, and this is extremely rare for Microsoft to do in a web cast, he shows how easily hackers can defeat weak username password combinations, including some of their techniques (SQL Injection, Password Cracking.) Thankfully, the last 1/3 of the talk is about how to better secure our systems. For my uses, I am going to go the lazy (uh, I mean more time efficient) route of using the built in ASP.NET data store.
Check out the web cast at this link (it’s not very long): http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032293751%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e
~ Robert Shelton