Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   .net app passwords (http://www.reteam.org/board/showthread.php?t=1463)

ericb1 03-11-2009 09:52 AM

.net app passwords
 
Any help is appreciated. I administer a .net web application, and we have some employees who run queries and build reports, etc. off the data, which is stored in SQL2005.

I've noticed that some of them make local copies of some tables to work with locally, but the "account" table has all the users passwords stored in them. Now, they're stoed in an encrypted state, but from a security standpoint, I was wondering how bad this is. Is there any known way to reverse these passwords to reveal them?

I was going to disallow the storing of these passwords, but if it's not a real security risk, then I wasn't going to make a big deal out of it.

Any insights are appreciated, thanks!

rongchaua 03-11-2009 10:21 AM

Quote:

Is there any known way to reverse these passwords to reveal them?
Yes it's according to how you encrypted the password and how secure the password is.

For example, I use a "standard" password with big,small,number, special character in length of 12 characters. I encrypted them with MD5 to a MD5 hash. It is pretty secure for revealing the password. But ...

The problem I see here is not what you concern about. But that is your authentication system. If the user can work locally with tblUser, then I have question: How do you authenticate the user? That means when I, an user, work locally and log into the system. Which table will be used to authenticate me? The local one or the online one?
If you use the local one, then you must think about "cookie faking". With "cookie faking" I can easily loginto an account of other user.
If you use the online one, I recommend you to remove the tblUser (which supports the authentication process) immediately from local database under any circumstance. It gives you a very,very big risk for your systems in future.
Your system will get bigger day after day. And if you do not do it right away, it'll be very complex to do it later.

ericb1 03-11-2009 10:51 AM

Thanks so much for the reply. What we do is that our production sql server makes a nightly backup of the production database to another server.

This 2nd server is where we run reports and queries from so as not to impact production performance. To access this server, there is an Active Directory user group that authenticates people into SQL server 2005.

Within this copy of the production database, is the tblUser with first name, last name, accountID, password, email address, etc. So there's only a handful of people who can access this server, and that is controlled, but these people have sql server installed on their own PC's, so they make local copies of the database, including tblUser. From here I lose control of who can access what.

This is where I was concerned with the passwords being exposed. If someone had the table, can they reverse the passwords to expose them, etc.

Thanks again.

rongchaua 03-11-2009 11:35 AM

@ericb1:
Quote:

If someone had the table, can they reverse the passwords to expose them, etc.
As I answer you above. That can be. A hacker can reverse your encrypted password.
I do not know what kind of tblUser you are discussing. It is your custom table which is served only for authentication of that database Or that is the tblUser extracted from Active Directory.
If it is a custom table, you should tell us which algorithm you use to hash your Password. A MD5 hash is ok and a SHA hash is more better.
If it is a table which extracted from Active Directory, and then this is the way to crack the password: http://www.irongeek.com/i.php?page=security/cachecrack

ericb1 03-11-2009 12:15 PM

It is a custom database used only for authenticating users in the web application. (which is why I don't think people running queries against the database for reports need it).

However, I don't know how it's encrypted, MD5 or SHA, etc.

Thanks again!


All times are GMT -4. The time now is 03:23 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.