Validating web forms in asp.net
(Do not) Roll-your-own Java Script encryption/hashing Given the nonzero cost and perceived technical difficulty of setting up an SSL certificate on your website, some developers are tempted to roll their own in-browser hashing or encryption schemes in order to avoid passing cleartext logins over an unsecured wire.
While this is a noble thought, it is essentially useless (and can be a security flaw) unless it is combined with one of the above - that is, either securing the line with strong encryption or using a tried-and-tested challenge-response mechanism (if you don't know what that is, just know that it is one of the most difficult to prove, most difficult to design, and most difficult to implement concepts in digital security).
This type of wiretapping is done routinely by governments, but in general we won't address 'owned' wires other than to say this: If you are protecting anything important, use HTTPS.
In essence, the only practical way to protect against wiretapping / packet sniffing during login is by using HTTPS or another certificate-based encryption scheme (for example, TLS) or a proven & tested challenge-response scheme (for example, the Diffie-Hellman-based SRP). Of course, if you are willing to get a little bit impractical, you could also employ some form of two-factor authentication scheme (e.g.
do not usually contain enough entropy) and a password guessing attack could be completed in a relatively short time by an attacker with access to the hashes.
This is why a KDF is used - these effectively "stretch the key" meaning that each password guess an attacker makes involves iterating the hashing algorithm multiple times, for example 10,000 times, making the attacker's password guessing 10,000 times slower.
I've even argued with people who said "but it submits to https://..." and only got blank stares when I asked if they were sure an attacker didn't rewrite the non-encrypted page the form was served over.The secure flag ensures that the cookie is only sent back via HTTPS, and therefore protects against network sniffing attacks. Where a cookie referencing a non-existent session is presented, its value should be replaced immediately to prevent session fixation.Persistent Login Cookies ("remember me" functionality) are a danger zone; on the one hand, they are entirely as safe as conventional logins when users understand how to handle them; and on the other hand, they are an enormous security risk in the hands of careless users, who may use them on public computers and forget to log out, and who may not know what browser cookies are or how to delete them.To verify a login, you run the same hash function on the entered password, this time passing in the salt and compare the resulting hash string to the value stored in your database.
bcrypt and scrypt store the salt with the hash already.We'll assume you already know how to build a login password HTML form which POSTs the values to a script on the server side for authentication.