Interesting read in today's Wall Street Journal. Most interesting is that consultnts push “change often“ mentalities on clients (as often as once a month), and companies that don't require PW changes are often those in the security industry, such as Fortinet. Bottom line from one consultant was it's better to have a PW someone can remember than to change them all the time and have the user write them on a sticky note.
Security experts have long recommended that computer users choose hard-to-break passwords and change them frequently in order to frustrate hackers. Now, those recommendations are being newly forced on millions of U.S. workers in the name of preventing financial fraud under the Sarbanes-Oxley corporate-reform act.
...
No matter that Sarbanes-Oxley doesn't actually require changing passwords: In the name of those "internal controls," auditors and consultants are prodding companies to require that employees pick tougher passwords, and change them more frequently.
But the zeal for impenetrable computer systems rubs up against the limits of human systems. To cope with repeated changes to multiple passwords, many users adopt strategies that actually thwart security.
...
Happy Holidays from the Pittsburgh .NET User Group! We hope to see you at the December meeting next week.
When: Tuesday, December 14
Where: Pittsburgh Technology Council
Speakers: Stan Spotts, Developer Evangelist, Microsoft & David Hoerster, CIBER
Agenda:
5:30-6:00 .NET 101: Avalon Demo
Stan Spotts from Microsoft will provide a demo of Avalon for this month's .NET 101 session. Stan Spotts, MCSE, MCSD, MCDBA, CCA, A+, is a Developer Evangelist in the Greater Pennsylvania District.
6:00-6:15
Developer Café
This will be an open opportunity to meet with your peers and network. Refreshments will be provided.
6:15-6:20
User Group Updates
As the title implies, this will be a short opportunity to discuss anything new with the user group. This time will also give members a chance to have any general questions about the group answered.
6:20-8:00
Using Whidbey, Yukon and BizTalk 2004 to Create Enterprise Software Applications
This month's presentation will look at real-world experience using cutting edge .NET tools. David Hoerster from CIBER will discuss what development improvements they are seeing by using Whidbey and Yukon betas. David will also discuss integration with BizTalk 2004. The presentation will conclude with a look at the quirks associated with these tools.
Registration:
Sadiq Durham or 412-918-4229.
I'm not a big fan of storing a lot of information in cookies and session variables (and even less so if the information is sensitive), but sometimes for any number of reasons you gotta' stash the info somewhere, and cookies and session variables fit the bill. If you have to do this, make sure the information is encrypted. Cookies are stored as raw text files on the user's PC, which can be opened with Notepad or even searched with any number of tools. Session variables, while stored on the server only for the lifetime of the session (hence are more secure), are not 100% secure.
The important issue with storing data in cookies or session variables is that the encryption must be reversible--that is, you must be able to encrypt the data to protect it, and then decrypt the data to use it, and probably encrypt it again after some modification. And so on.
So if you have to use cookies to persist data, or sessions to carry information, be responsible with the data and encrypt it. Here are a few references and tools I have collected:
Encrypting Cookie Data with ASP.NET (15 Seconds)
If you have never seen the voluminous quantity of cookie data on your machine, try the following. Open Internet Explorer, select Tools and then Internet Options from the menu. From the Internet Options dialog click the Settings button. Then on the Settings dialog click View Files. An Explorer window will display all the cached data your browser has kindly filled your hard drive with. Sort the list alphabetically, then scroll down to the Cs. (C is for "Cookie" :)) On my machine, there are currently 1,850 cookie files.
So, here is some advice - don't store sensitive data about users in cookies. If you must, then you have a responsibility to protect that data through encryption.
Encryption/Decryption with .NET (The Code Project)
The System.Security.Cryptographic namespace within the Microsoft .NET Framework provides a variety of tools to aid in encryption and decryption. The CryptoStream class is used here to demonstrate the encryption and decryption with System.Security.Cryptographic.SymmetricAlgorithm, such as DESCryptoServiceProvider, RC2CryptoServiceProvider, and RijndaelManaged classes.
Building Secure ASP.NET Applications (Microsoft PAG - PDF Download)
One of the sections of the huge (600+ page) document discusses DPAPI, a reversible encryption method that is machine specific. This is a must-read for a bunch of other reasons, and also provides a nice segue for the next entry.
DPAPI Helper Library (Franklins.net)
Carl Franklin saved us from building that horrendous “simple DPAPI library” in the above article, with a very simple assembly you can drop into any project and use right away. Carl also has a blog entry on this helper library: http://weblogs.asp.net/cfranklin/archive/2004/03/18/91746.aspx. Read the above article to fully appreciate this contribution.
NCrypto (SourceForge)
So you need some crypto stuff (easy to use and ready for shipping) and don’t have enough time or interest in learning and writing all that crypto code?
Cryptography in .NET (The Code Project)
The cryptography, before the arrival of .NET, was meant to use the Unmanaged Win32 APIs which was very obscure way to encrypt or decrypt the data. .NET provides a set of classes (and actually a complete namespace) for the subject. Now you have a number of classes using different pre defined algorithms which can help you to secure your data using cryptography. In .NET, there are three types of cryptography defined under the tree of Cryptography namespace. Those are AsymmetricAlgorithm, SymmetricAlgorithm and HashAlgorithm. All these three classes (and also types of cryptography in .NET) are abstract classes. We are going to discuss SymmetricAlgorithm in this article.