Everyone gets hacked. Even the best websites. Hackers find a way. But if they get you, why make it easy on them? Store your passwords in best way possible so that they are hard to crack! Password storage involves two steps: salting and hashing.

One thing to keep in mind is that passwords are not cracked in the traditional sense any more. That takes too long. Most "cracks" happen by using a rainbow table and generating hashes to compare to what you have stored.

Salting

The purpose of salting is to make every password as close to 100% unique as possible. This can be done by generating random bytes and adding them to a users' password. This way if two users are created with the exact same password, the same value will not get stored in the database. It mitigates the use of a rainbow table. Make your salt a reasonable length and give it a wide range of possible values. Your website may only allow ASCII characters for the users' password but don't limit yourself to these characters when generating the salt. Make sure your salt is randomly generated for every user. I've seen applications that use a static salt for every password - don't do that!

The salt should be stored in your database along with the hashed password+salt. When storing the salt make sure to encrypt it. When a user logs in your goal is to be able to pull out the salt, decrypt it, add it to the attempted password, hash it, and compare that value to the stored hash. Again, encrypt your salt! Keep your encryption key as safe as possible.

Hashing

Hashing is one-way encryption, meaning you cannot decrypt the value. Some hashing algorithms are better suited for passwords than others. Here's why... Did you know on a moderately priced GPU you can generate over 4.7 billion MD5 hashes per second? Or how about over 2.2 billion SHA1 hashes per second? SHA2 variants aren't far behind either. The problem with these algorithms is that they are meant to be fast. Fast is not good for password hashing.

So what is a good hashing algorithm? BCrypt is a hashing algorithm that is meant to be slow. It takes a certain amount of processing power to generate a BCrypt hash. It will take a hacker a long time to generate lots of them and they won't be able to crack your passwords as fast. Either that or it means they will need more/faster hardware which drives up the cost. BCrypt is configurable so that you determine how fast or slow it runs. This, of course, means that your new user/login/change password functions will take longer. What is a little more added time to your login process though? Most users won't be able to tell or care. The amount of protection added far outweighs the cost of time to real users.

Is there something better than BCrypt? Yep. SCrypt does every BCrypt does but requires a certain amount of memory. This drives the time/hardware cost up even more. The amount of memory required to generate a hash is configurable.

Sample Application

Below is a sample MVC3 solution that incorporates hashing a salting properly. I named the solution "ParanoidNerd" thus the reason for the post title.

Download ParanoidNerd [3.2 MB]

Today at work I overheard some of the IT folks talking about file monitors for various systems and remembered that I had written one of these a few years ago ...so here it is!

Setting Name	Description
Paths	A | (pipe) seperated list of paths to be monitored.
LastRunTime	The value is used to determine when the last time the program was run and as the time to compare new/updated files to. After sending a report the program will update this value. You do not need to change this value.
InstanceName	The instance name to be used in the reporting template. If the instance name is blank then the name given to the machine will be used.
FromAddress	Email address the report will come from.
Subject	Subject of the email. Replaces {0} with the InstanceName. For example if the InstanceName is "WEB01" and the Subject is "File Report for {0}" then the subject of the email will be "File Report for WEB01".
ToAddresses	A , (comma) seperated list of email addresses the report will be sent to.
SmtpHost	The SMTP host address.
SmtpSsl	"true" or "false" value that will determine if the email is sent using SSL.
SmtpPort	The SMTP port number.
SmtpTimeout	The number of milliseconds to wait for the email to be sent before timing out.
SmtpUser	The SMTP user name.
SmtpPass	The SMTP password.

File System Watcher 1.0 [92 KB]

I love posting about one-off utility apps that I write. Today's app generates random "secure" passwords. I prefer having a nice little EXE to do this rather than finding an online tool each time I want to generate a new password. Enjoy!

Download SecurePasswordGenerator_1.0.zip [45 KB]

Today I've updated Bundler.NET to include more optimization of images. You can now take every image in your CSS and create a sprite automatically. Here is how it works... (example solution download below)

First the CSS:

.clear {
    clear: both;
}

.img {
    height: 48px;
    width: 48px;
    display: block;
    margin: 10px;
    float: left;
}

.img-browser {
    background: url('images/browser.png?embed') no-repeat 0 0;
}

.img-clock {
    background: url('images/clock.png?embed') no-repeat 0 0;
}

.img-kdf {
    background: url('images/kdf.png?embed') no-repeat 0 0;
}

.img-kservices {
    background: url('images/kservices.png?embed') no-repeat 0 0;
}

.img-lock {
    background: url('images/lock.png?embed') no-repeat 0 0;
}

Notice the ?embed after each image reference. This identifies the image to be included in the sprite. When we create our bundle, we want to use a new type called CssMinifySpriteEmbed. Here is what that looks like:

var options = new BundleOptions
{
	EnableOptimizations = true,
	IncludeFileExtensionInAlias = true
};

var css = new Bundle("~/css", typeof(CssMinifySpriteEmbed), options);
css.AddFile("~/Content/Styles.css");
BundleTable.Add(css);

What this will do is look through all of your styles and find image references. Then it will combine all images into a sprite and optimize that image to make it as small as possible. The result gets base64 encoded and added to the stylesheet as a new style called "sprite". For every style definition that had an image reference a new definition is added with ".sprite" appended to the name.

All you have to do now is add the "sprite" class to your HTML elements. If you don't add the class then your original style/image reference applies and not the sprite.

<div>
	<span class="img img-browser sprite"></span>
	<span class="img img-clock sprite"></span>
	<span class="img img-kdf sprite"></span>
	<span class="img img-kservices sprite"></span>
	<span class="img img-lock sprite"></span>
	<div class="clear"></div>
</div>

That's it!

If you want to change the name of the "sprite" class you can set it in the bundle options.

var options = new BundleOptions
{
	Css = new CssOptions { SpriteClassName = "myspriteclass" }
};

Download example web solution BundlerSprites [4 MB]

For more on using Bundler.NET check out the documentation page on codeplex.

*Update 2013-02-27: ?embed is now required to include images in the sprite. This is to avoid having images that are already sprites included which would not work well with already defined CSS for those sprites.

Have you ever wanted to get a report of all web pages on a website? That's exactly what a friend of mine wanted. I'm savvy to writing web-crawlers so I had no problem whipping something up for him. It's simple - give it a web page to start on and it will find all of the links on that page, and branch out from there. Only web pages with the same domain name are crawled. Dynamic pages are limited to 100 hits. When it's all done crawling it outputs a nice text file with all of the web page URLs listed alphabetically.

Today I am releasing it for public consumption. It requires .NET 4.5 which should already be installed if you keep your Windows Update, updated.

Download ActivePageReport_1.0.zip [6KB]