Microsoft Article : How to Securely Store Passwords and Beat the Hackers

How to Securely Store Passwords and Beat the Hackers
How to Securely Store Passwords and Beat the Hackers

I have just written my first article for the Microsoft UK Developer site on How to Securely Store Passwords and Beat the Hackers. The article talks about the best way to protect passwords by first exploring ways that you shouldn’t protect and store passwords.

Password Based Key Derivation Function Iteration Counts

I have already spoken about Password Based Key Derivation Functions before on this blog and I have discussed secure password storage with PBKDF2 at length in my Pluralsight course, Practical Cryptography in .NET, but in this post I want to expand this a bit and talk about picking suitable iteration lengths for the PBKDF2 key derivation process.

Choosing a good number of iterations for PBKDF2
Choosing a good number of iterations for PBKDF2

A reader of this blog, Geoff Hirst, gave me a heads up to an episode of the Security Now podcast and specifically episode 512 where the recent security breach at LastPass was discussed. Luckily no one’s data was actually at risk due to their security policies and good use  of encryption, but the podcast talked about something that was interesting and that was, what should you set your PBKDF2 iteration count too?

I must admit I have always used round numbers like 50,000 or 100,000 but the podcast says this isn’t a good idea and you should use 5 figure number, beginning with a number larger than 2, but a random number which isn’t rounded up to specific whole number, as in 50,000 or 100,000.

By making this a random number that you do not disclose you are making an attackers life much harder as they have to get the iteration count correct. Of course you shouldn’t rely on this as a main piece of security information, but anything that can make an attackers life a little harder has to be a good thing.

If you are dealing with a system that has multiple users, why not randomly generate different iteration counts per user. Then if one user does get compromised and their password recovered, your other users are still safe as the attacker would still need to guess their number of iterations.

Secret Files Decrypted by the Russians and Chinese

It was reported in the press today that a series of files contained in the files stolen by Edward Snowden have been decrypted by the Russians and the Chinese which has given up vital strategic intelligence information forcing SIS (MI6) to move under cover agents out of potential harms way. This story interest me particularly especially with my interest in Cryptography and releasing a Pluralsight course about Cryptography.

Edward Snowden : Secret Files Decrypted by the Russians and Chinese
Edward Snowden : Secret Files Decrypted by the Russians and Chinese

There are a couple of things I am wondering. From a technical perspective, how were the files protected? Was it using AES, RSA, a combination of both? Where the files broken using a Brute force attack? Where the keys particularly weak. These are questions that I am sure I won’t get answers too, but I am curious none the less.

Aside from my own technical geeky curiosity, the other thing running through my mind is why is this even in the news in the first place. It is quite strange that we would hear anything about MI6 operations in the press, which leads me and many others like Former Conservative cabinet minister Andrew Mitchell from wondering if the news story was very well timed to coincide with the Anderson Report.

Update a WPF UI from Another Thread

This is a shorter post with a small solution to a problem, but I wanted to add it here for my own reference. I have recently been working on a little WPF pet project as I want to learn XAML and WPF. I seemed to miss that generation of UI technology when I went from mainly doing WinForms work into WCF and back end enterprise development.

The issue I had the other day was that I had a timer running in my code that triggers an event when the elapsed time hits a certain time. From that event handler I wanted to update something on the user interface. If I update that UI item directly from the event I got the following exception being thrown. This is because the UI is operating on a different thread to the thread handling the timer event.

Thread Exception
Thread Exception

The solution is to use the Dispatcher.Invoke( Action ) method to make the call to the UI thread. This is demonstrated in the following example. We have a timer being setup with an event (OnTimedEvent) being fired every 5 seconds. When the OnTimedEvent is called, the UI is updated inside the Dispatcher.Invoke( Action ) method.

private Timer _timer = new Timer();
_timer = new Timer(5000);      
_timer.Elapsed += OnTimedEvent;
timer.Enabled = false;

private void OnTimedEvent( Object source, ElapsedEventArgs e)
     Dispatcher.Invoke(() =>
          // Set property or change UI compomponents.              

MSDN describes this solution as follows:

In WPF, only the thread that created a DispatcherObject may access that object. For example, a background thread that is spun off from the main UI thread cannot update the contents of a Button that was created on the UI thread. In order for the background thread to access the Content property of the Button, the background thread must delegate the work to the Dispatcher associated with the UI thread. This is accomplished by using either Invoke or BeginInvoke. Invoke is synchronous and BeginInvoke is asynchronous. The operation is added to the event queue of the Dispatcher at the specified DispatcherPriority.

Invoke is a synchronous operation; therefore, control will not return to the calling object until after the callback returns.

New Blog Template

This blog, Stephen Haunts { Coding in the Trenches }, has been running since 2012 and since then I hadn’t changed the visual style of the site. For you regular readers you may have noticed that the styling has changed  a bit from today.

New Blog Template
New Blog Template

I have kept the same kind of layout, as I think this works well for a blog like this, but the styling has been updated to make it look and feel more modern and minimal. This site is also now fully responsive, so it will scale down well to tablets and phones.

I hope you like the changes. If you have any feedback on the new template then please leave a comment on this post.

Universal Apps on Windows 10

With the release of Windows 10 getting ever closer (July 29th for the desktop version), Microsoft is putting a lot of weight around the new Universal Applications platform for Windows 10. This means you will now be able to write one application with one binary that works across the entire range of Windows 10 devices. This includes the desktop, mobile, IOT, Xbox, tablets and Hololens.

Universal Apps Platform
Universal Apps Platform

This is really big news and helps solidify the convergence of their platforms and builds on the windows application platform introduced as part of Windows 8.1. They were partly there with Universal Applications under Windows 8.1, but you still needed a desktop and Windows Phone version of your application even though you could share a large part of the code. Unfortunately the adoption of the Windows Application platform and store apps under Windows 8.1 was never really adopted by the mass market consumer and people who create apps for them, but I really hope that changes with Windows 10.

To me it finally seems as though Microsoft has created an almost perfect platform, and I really do hope it catches on as the programming model looks great, and a perfect evolution from Windows 8.1. Due to the fact that an app runs across all the device groups, Microsoft is claiming that not long after launch they will be on around a billion devices. This is great, but what Microsoft really has to focus on, it getting consumers to recognize that there is a store where they can buy apps.

%d bloggers like this: