8 Handling passwords

 

This chapter covers

  • Learning how passwords may be stolen
  • Learning how attackers retrieve encrypted or hashed passwords
  • Exploring why hashing is best for password handling
  • Implementing password hashing with ASP.NET Core
  • Changing default password hashing behavior of ASP.NET Core

In early October 2013, Adobe reported a security incident on their servers. The original blog posts are no longer available (only using a web archive), but independent news sources paint a very clear picture. According to security journalist Brian Krebs (http://mng.bz/o2DZ), attackers were able to access the source code of a few Adobe products. Also, personal customer information was stolen. As the Verge reported (http://mng.bz/nND5), the number of affected accounts was initially estimated at around 3 million, but the actual number turned out to probably be over 150 million. To be fair, it is unclear how many of those accounts were inactive or test accounts. The numbers are still staggering, though.

Among the data extracted were, among other things, passwords. Luckily, they were not stored in plaintext. However, it was still possible to access many of them due to the way the application worked. Let’s look at this case study to learn what went wrong (and to make it better).

8.1 From data leak to password theft

 
 
 
 

8.2 Implementing password hashing

 
 
 

8.2.1 MD5 (and why not to use it)

 

8.2.2 PBKDF2

 

8.2.3 Argon2

 
 
 
 

8.2.4 scrypt

 
 

8.2.5 bcrypt

 
 
 

8.3 Analyzing ASP.NET Core templates

 
 

Summary

 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest