Free Tools
Home About Contact Portfolio Developers Free Tools Free Tools Home Jquery & ASP.NET Code Snippets Strong Password Generator Internet Culture Front End Development

Follow me on twitter

STRONG PASSWORD GENERATOR

Online Security is becoming a big issue and one of the fastest growing industries in the world. Believe it or not most hack jobs are done internally by employees of the company; many companies never admit being hacked or they just don’t know. We learn about these events sometimes years after they happen.

If you are an Internet Engineer here are some tips:
1. Create all your passwords using a strong password generator
http://strongpasswordgenerator.com/
http://www.mytsoftware.com/dailyproject/PassGen/PassGen.html
http://goodpassword.com/

2. Have 2 sets of passwords for your ASP.Net login into SQL server. 1 for test/development and 1 for production. If someone internally hacks your system they won’t be able to harm production.

3. Use different passwords for different systems. If you have a test server, production web server, and production SQL server. You should have 3 different passwords.

4. ASP.net logins into SQL server don’t change very often. Write them down offline in a book or don’t write them down at all. Sometimes it is easier to replace them than to retrieve them. If you keep them in a book make sure the book is under lock. If you keep your passwords in an excel file, then encrypt the excel file from within.

5. Storing passwords for a Visual Studio Web Site should be done outside the solution. Use the registry, file system, or a combination of both. This will require the hacker to access another layer before he can retrieve the value.

6. Always encrypt the login string including the target server:
connectionString="Server=TheServer; Database=MyDB; User Id=MyUser; password= Passw0rd"
As the asp.net page executes the string is decrypted on the fly. This will force the hacker to know the decryption algorithm before he can do any harm; even if he can read the registry.

7. ASP.net pages login into SQL server using credentials from an existing SQL server login. That login needs to have the least amount of privileges in the database. Use "public" and then assign permission per table and stored procedure. Never use the same login for multiple databases. One login per database.

8. Some tables will only require read access like a state drop down for a registration form.

9. Use classes to create the connection string and mix them up to make it confusing. Many hackers move on when the level of difficulty increases.

10. Don’t document how the authentication method(s )works inside the asp.net pages. Even when you release documentation to the customer, encryption and sensitive information should be managed in a separate document.

11. If you manage a large web team. Then assign security to only a few key people. All other developers can use classes to communicate with the database. Even if developers print the credentials to the screen, they will never know production system passwords. Before the code is published live, a manager should check what the code does.