Re: Encrypt a UsernameToken Authenticated WSE Response

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

> if the password is a word in the dictionary, then its definitely simple.
> all you do is run through the 200K to 400K words used in a language.
> so make the password a non dictionary word, or better yet a passphrase.

That is generally good. However, my home P4 2.4Ghz computer can test about
1 million passwords (dict or hybred) per minute. So even passwords like
"sunshine;12" will be cracked in short order. Passphrases are more work,
but could still get many of those with more time. Totally random passwords
are probably the best against this attack. However, in the real world,
neither is widely used by users as they forget those passwords and regress
back to something they can remember (normally some dict word with just
enouph digits appended or prepended to pass the password policy.)

> you can also make is stronger by prepending SALT.
> you should be using SALT server side anyways.
> of course all that can be beaten, but its not exactly easy.

Salt does not add much to the wire security - only the server db security.
That is because normally salt is sent to the client in clear text so it is
known. If the client gets the salt via some encryption, then we are back to
how to get a secure session. And if we already had one, the client does not
need the salt.

> or you could use x509 as your blog says,
> and mess around with key management.

x509 or just your own RSA keys that does not require certs. I blogged a SCT
solution using just strong name public key on client side to get a SCT.

--
William Stacey, MVP
http://mvp.support.microsoft.com


.

Relevant Pages

  • Re: UserNameToken with SendNone on Password
    ... ByteArrayComparer is obviously easy. ... purchase the product to hack into other people's passwords, sessions, etc. ... >> salt length to the message might give the hacker to much info? ... > of a known password (say his own SCT session). ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Importance of salt
    ... About passwords in cryptography - there are tons of resources, ... Passwords and Offline Guessing Attacks. ... > I have one question regarding the importance of salt in encryption. ... the salt is used to prevent dictionary attacks. ...
    (microsoft.public.dotnet.security)
  • Re: Authenticate a User.
    ... > contain crypted passwords. ... >> That is because the salt may be longer than 2 characters. ... This is true if you're using the MD5 version of crypt, ... then a longer salt is obviously a possible explanation. ...
    (comp.os.linux.development.apps)
  • Re: Encrypt a UsernameToken Authenticated WSE Response
    ... add another word, case sensitivity, or a number, ... and most people cant manage their passwords. ... >> you can also make is stronger by prepending SALT. ... > That is because normally salt is sent to the client in clear text so it is ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Importance of salt
    ... Dominick Baier - DevelopMentor ... > About passwords in cryptography - there are tons of resources, ... >> I have one question regarding the importance of salt in encryption. ... the salt is used to prevent dictionary attacks. ...
    (microsoft.public.dotnet.security)