ASP.NET MVC security and user management done the right way (opens in new tab)

(aspsecuritykit.com)

16 pointsjelf12y ago16 comments

16 comments

If you're the author of that site... You should get someone who's really good at editing English to polish up the language. There are some obvious, little mistakes. For example, "some bonus" should be "a bonus" or "a (bigger) bonus" or something like that.

Maybe I'm the only one who actually cares about this kind of thing, but to me, little mistakes make something look unprofessional, or make me assume I'm dealing with a person who can only write code and doesn't have a broader perspective on things.

varunkho12y ago

Hi author here. Thanks for the feedback. Definitely get this corrected.

varunkho12y ago

Hi author here! if you have any feedback or suggestion, do let me know. you can also drop me a mail – varun@ASPSecurityKit.net

ASP Security Kit is my humble attempt to solve membership management problem for applications built on ASP.NET Mvc platform. I have periodically observed that There are many common but essential requirements for most real-world web applications that aren't served well. Like action-based and resource (entity record) aware authorization. ASK handles all such must-to-have requirements pretty transparently and is highly flexible. This is because it's been developped and actively improved as a basis of many consultancy projects I have undertaken over the years.

It has also many nice-to-have things and many more things planned. I'm pretty excited about it and looking at the trafic I have received, many other feel the same way. So thanks everyone for logging on to the site and special thanks to those who have shown interest and provided their email! I'll soon get in touch with you all personally sharing the progress and launch date.

SideburnsOfDoom12y ago

You say that it "Implements salted password hashing" but you don't mention the details of the method. Which method is it - bcrypt, md5, scrypt, sha1, pbkdf2 or something in-house? Why not say which?

I confess that I had to look up "key stretching". Is it usual to do this, and why do you do it?

varunkho12y ago

Glad you asked this. That is just a pre-launch page so it does not go into detail in length. Nothing built in-house – it uses Salted password hashing with PBKDF2-SHA1 and key stretching as mentioned on [0]. Password hashing is too delicate to write a custom algorithm.

[0] http://crackstation.net/hashing-security.htm

"Salt ensures that attackers can't use specialized attacks like lookup tables and rainbow tables to crack large collections of hashes quickly, but it doesn't prevent them from running dictionary or brute-force attacks on each hash individually. High-end graphics cards (GPUs) and custom hardware can compute billions of hashes per second, so these attacks are still very effective. To make these attacks less effective, we can use a technique known as key stretching. The idea is to make the hash function very slow, so that even with a fast GPU or custom hardware, dictionary and brute-force attacks are too slow to be worthwhile. The goal is to make the hash function slow enough to impede attacks, but still fast enough to not cause a noticeable delay for the user."

1 more reply

cangencer12y ago

I appreciate the effort, but I would never use something like this which is not open source.

styles12y ago

https://github.com/brockallen/BrockAllen.MembershipReboot/

codeulike12y ago

Not Open-Source then. So how do we know that it is secure?

varunkho12y ago

Most of it is installed as source files in your mvc project so you are free to change and inspect things. This is where protection against XSS/XSRF/over-posting attacks is handled as in Mvc. Only the core module is delivered as closed library. But that is more of a business layer than the security layer. The best thing about the core module is that every piece is swappable (including salted password hashing with key stretching piece) as everything is based on service pattern (interfaces and contracts).

egeozcan12y ago

These days, it's really hard to make people trust any library that they can't see the source of, especially those that manage "sensitive stuff" like authentication.

1 more reply

j / k navigate · click thread line to collapse

16 comments

javert12y ago

varunkho12y ago

Hi author here. Thanks for the feedback. Definitely get this corrected.

varunkho12y ago

Hi author here! if you have any feedback or suggestion, do let me know. you can also drop me a mail – varun@ASPSecurityKit.net

SideburnsOfDoom12y ago

You say that it "Implements salted password hashing" but you don't mention the details of the method. Which method is it - bcrypt, md5, scrypt, sha1, pbkdf2 or something in-house? Why not say which?

I confess that I had to look up "key stretching". Is it usual to do this, and why do you do it?

varunkho12y ago

[0] http://crackstation.net/hashing-security.htm

1 more reply

cangencer12y ago

I appreciate the effort, but I would never use something like this which is not open source.

styles12y ago

https://github.com/brockallen/BrockAllen.MembershipReboot/

codeulike12y ago

Not Open-Source then. So how do we know that it is secure?

varunkho12y ago

egeozcan12y ago

These days, it's really hard to make people trust any library that they can't see the source of, especially those that manage "sensitive stuff" like authentication.

1 more reply

j / k navigate · click thread line to collapse