An Updated Simple Passphrase Generator

(Note: The original version of this work is published at http://aspalliance.com/703_A_Simple_Passphrase_Generator.all, this is a long overdue update)

Just about 9 years ago I was building a partner-facing reporting website, and I needed a way to generate passwords when partners were added by customer service (no public registration) as well as to generate new ones easily when a password needed to be reset.  I wanted to generate a passphrase, which is usually easier to remember than a random string of gibberish.  Some of the “more experienced” among us will recognize this format as AOL-style passwords, which were printed on the 3.5” floppies we received in the mail or our PC magazines of the day.

In 2014, we have nearly a decade of breaches and crappy passwords being stolen.  Even today, weak and obvious passwords are some of the most popular choices.  My hope is passphrases may become more of a standard, but I doubt it.  Some of the text of the original article is republished below; some of the links are broken, and I’ve replaced them where I could find a suitable alternative.

You can find the updated code in my BitBucket Git repo, at https://bitbucket.org/rjdudley/passphrase.  It’s pretty simple—one library project, a few tests in another project, and a console app to display the passphrases.  Use the library wherever it will run if you so wish, or fire up the console app anytime you need a good passphrase yourself.

Why Passphrases?

Perhaps first we should ask “What is a passphrase?”  Wikipedia may say it best:

A passphrase is a collection of ‘words’ used for access control, typically used to gain access to a computer system.

Passphrases were first proposed in 1981 by Sigmund Porter. Passphrases are distinguished from passwords by their virtue of being comprised of several words separated by spaces. Passphrases can satisfy even stringent security requirements, while being easier for the users to remember (http://technet.microsoft.com/library/cc512613.aspx). It’s this combination of complexity and ease of remembrance that make passphrases a good part of a password policy.

Our decision to use passphrases included another reason. By using passphrases when a user’s account is set up, we hoped to set an example to our users to use passphrases as well. We hoped that users would follow our example and choose passphrases they could remember easily, and that would be more than their dog’s name concatenated with a number 1. As a precedent, I cited that AOL has for years used multiple word passphrases as the login associated with all those floppies and CDs they send out. PGP and its variants also require using secure passphrases as your private key.

Recommended Passphrase Best Practices

With the intrinsic strength of some of the modern encryption, authentication, and message digest algorithms such as RSA, MD5, SHS and IDEA the user password or phrase is becoming more and more the focus of vulnerability. (http://www.totse.com/en/privacy/encryption/passch.html)

String passphrases are only one part of a comprehensive security policy. For additional security, you should include other best practices in your application’s login components. Microsoft makes a number of recommendations for Windows networks which are also applicable for ASP.NET applications (http://technet.microsoft.com/library/cc162924). These recommendations include:

  • Enforcing strong passwords
  • Ensure regular password changes
  • Maintain a history to prevent immediate reuse
  • Lock out accounts after a certain number of failed attempts

In a very good series of articles, Jesper Johansson reiterates many of these recommendations (http://technet.microsoft.com/library/cc512624.aspx), but disagrees about using account lockout policies. Several myths surrounding Windows passwords are addressed by Mark Burnett (http://online.securityfocus.com/infocus/1554/), and although focused on Windows passwords, some of the information is also applicable to ASP.NET applications. Designing a component that includes these recommendations is beyond the scope of this article, but you should familiarize yourself with these recommendations and incorporate the pertinent ones into your application.

Generating Passphrases

FAQ: How do I choose a good password or phrase?

ANS: Shocking nonsense makes the most sense. (http://virtualschool.edu/mon/Crypto/PGPPassPhraseFAQ.html)

There are a number of methods for generating passwords and passphrases. In this article, we’ll modify a method known as Diceware (http://world.std.com/~reinhold/diceware.html). This method consists of a numbered word list and five dice. Each word is assigned a 5-digit number, with only numbers 1-6 at each position, and covering every combination of numbers. The five dice are rolled, and the numbers are read from each face to form a 5-digit number. This number is cross-referenced with a word in the word list, which is then the first word in the passphrase. This process is repeated until the requisite length or number of words has been reached.

Instead of rolling dice, we’ll use pseudo-random number generators to simulate dice rolls. To make cross referencing easier, we’ll use the original wordlist loaded as a Dictionary object.  This version of the generator uses the RngCryptoServiceProvider to simulate the rolls of the dice.

Hackers focus efforts on Firefox, Safari

The Internet Explorer team should be proud of themselves this week:

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

However, if you’re feeling ten feet tall and bulletproof because you’re using FireFox, you might want to reexamine that idea and make sure you get the auto-updates installed:

In a somewhat dubious recognition of Firefox’s growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes. The folks at Mozilla recently released two Firefox updates in less than six weeks, fixing a total of five critical security vulnerabilities. All five can be exploited by planting a poisoned JavaScript file in a Web site and waiting for you to stumble across it.

The scary thing here is that you don’t have to do anything to engage this exploit, and JavaScript is all but invisible to any user not really looking for it.

Likewise, Apple cultivates the image of security to every fanboy’s peril:

Safari 3.1 patches 13 holes affecting Mac OS X, Windows XP, and Windows Vista.

Think you’re safe because you don’t have Safari? You may have it without realizing it. Apple now distributes its browser with iTunes updates. Forget to uncheck a box in one of these updates, and it’s there.

The Safari holes could allow an attacker to trick you into thinking that a fake site is really your bank site, or to take over your PC via a poisoned page.

Remember it was Safari that led to the hacking of a MacBook Air in a recent contest.  Add in the insult of sneaking Safari onto machines via iTunes updates and Safari in most corporate environments would be defined as malicious.  The distribution policy has recently been changed to be more clear about what is being installed, but some damage has been done, and you still have to refuse the automatic installation.

There is a reason corporate IT departments prefer software we can control via Group Policy, and why we have policies against anyone installing anything.

New Sophisticated SQL Injection Attack

Although this attack targets websites powered by Microsoft SQL Server, databases such as Oracle are also vulnerable to this attack.

The attacks “are a very sophisticated form of SQL injection,” Qualys CTO Wolfgang Kandek told TechNewsWorld. “Normally, SQL injection is targeted to one table. With this attack, they used a generic mechanism of the underlying database to make it work on a much broader set of applications.”

The attacks have targeted sites running IIS and ASP that have an MS-SQL database. However, they are not exploiting a particular flaw in these applications — the exploit could have been written to target any database — Oracle or WebSphere, for example.

Rather, the code exploits what security researchers are bemoaning as an elementary lapse in Web security on the part of developers installing the databases.

In addition to this attack, the article mentions another one, specific to SQL Server, on the horizon:

“The underlying database servers are often misconfigured to have an extended stored procedure xp_cmdshell enabled,” Belani told TechNewsWorld. “This setting allows an attacker to execute commands at the operating system level post compromise via SQL injection. This level of access is hard to come by in other database servers like Oracle.”

Full story at http://www.technewsworld.com/edpick/62783.html?welcome=1209477802.

The root cause of these attacks is insecure web application design, which allows SQL code to be inserted into a page request and executed in the following database query.  This is an old technique known as SQL Injection.

If you’re not familiar with SQL Injection, you need to be, since it’s a very basic flaw with serious ramifications.  I recommend highly reading 19 Deadly Sins of Software Security for very good introductions to some very basic design issues.

Dell Vostro: Not Totally Free of Crapware

One of Dell’s selling points for its new Vostro line is a lack of trial-ware.  In fact, Dell’s website makes the following claim on the Vostro homepage:

No trialware.
Customers said they hated trialware, so we took it away. Vostro systems come without annoying trialware pre-installed. You only get the software you want.

If only it were true that you only got the software you want.  Remember these machines are designed and priced for small offices, 1-25 employees.  You know the kinds of offices these are–they’re the ones without IT, and are subject to the whims of their vendors.  We recently purchased three Vostros (two Vostro 200 slim towers to expand the POS in my wife’s flower shop, and one Vostro 1500 laptop for myself), and I was dismayed to find software I didn’t really want on all three:

1) Google Toolbar is preinstalled with IE.  Google recently seems to have changed its motto from “don’t be evil” to “total world domination”, and I understand they pay a bounty to Dell for preinstallation of their toolbar.  In case you’ve missed out, Google’s been involved in a couple of privacy flaps lately.  The toolbar remembers where you go and what you do, which has probably been a reason for some of these unsecured data exposures on the Internet–the file location was sent to Google after being accessed by an unsuspecting user, and Google indexed it.  Yes, the business was stupid to not secure the data, but Google is the one who indexed the data and made it public, so I hold both complicit.

2) Google Desktop.  This one is worse than the toolbar, IMHO.  Again, it’s my understanding a bounty is paid for each installation.  And again, there are privacy issues, especially since it opens (automatically, BTW) with default settings.  If the user doesn’t know the software is installed and is indexing their documents, they might be surprised to see them show up in their searches.  While usually pretty secure, Google’s various properties have been subject to exploits recently, and there is the chance sensitive data can be compromised because of the Google desktop.  Additionally, Google Desktop introduces unexpected keyboard behaviors (e.g., double control brings up a search box), and for unknowledgeable users, this software makes their computer a thing of surprise.

3) The Dell Search Redirector.  Oh how this one works my main nerve!  If you goof a website’s address in IE, you’re transported to a Dell/Google cobranded page of “suggested results” and (drum roll please) AdWords ads.  The standard “Internet Explorer couldn’t find the website you’re looking for” page has been totally replaced.

4) Dell Network Assistant.  Yet another replacement for Window’s built in network connection utilities.  Granted, the user-friendliness of Windows XP’s network management is really low, but the Dell NA takes forever to find the preferred network and connect.  How slow is it?  I can boot, open Thunderbird and have it searching for my e-mail servers, and it’s still another minute or so before DNA connects.

5) Dell Support Assistant.  I feel bad for people who agree to use this one.  You get the annoying toasts saying there’s some update for your PC somewhere, but the UI is confusing and uninformative.  If there’s an alert, I should be taken right to it when I open the tool.  Plus, we don’t need the staff freaking out that something is wrong with the new PCs just because an unexpected notice pops up.  That’s disruptive to the day’s work, and takes them out of their flow if they’re taking an order and one of these messages appears.

Now, you can turn off and uninstall all of these options, but that’s not very friendly.  It should be that I can turn on anything I want, not have to turn off what I don’t.  Except for the Dell Network Assistant, all of the others have been removed from our PCs.

kick it on DotNetKicks.com

New from the ACE Team: XSS Detect

The ACE Team (Application
Consulting and Engineering) has released a beta
version of their tool to scan managed code and detect potential vulnerabilities
to cross-site scripting
.  XSSDetect runs as a visual studio
plug-in.

From their blog:

One of the biggest, constant problems we’ve seen our enterprise
customers deal with and we here at Microsoft have to also contend with is that
of the XSS (Cross Site Scripting) bug.  It’s very common and
unfortunately, still an issue we have to deal with in many web
applications.  Internally, the ACE Team has been working on several
projects to help mitigate and fix these issues, as well as detect them in the
code bases that we review so that they can be fixed before going
live.

They also have a follow-up post which discusses using
XSSDetect to scan large applications
.  For very large applications, you
may run into an “out of memory” error.  Besides bigger and badder hardware,
the suggestion is to analyze binaries in smaller chunks.

FormShield for .NET 2.0 Released

Kevin Gearing of has released an updated CAPTCHA control for .NET.  Not only compiled against the latest version, there are a lot of new features, too:

Version 2 of FormShield builds on the previous .NET 1.1 version, adding a wealth of new features, options and accessibility improvements. The most notable feature addition is the capability for FormShield to now automatically generate a spoken version of the value shown on the image to aid with accessibility legal compliance. This however is just one of a handful of major new features, not to mention the number of improvements and changes made since the previous version.

If you’re looking for an ASP.NET CAPTCHA control, this one is worth checking out.

Full story at http://dotnetfreak.co.uk/blog/archive/2007/07/13/formshield-for-net-2-0-released.aspx

Remote Web Administration Tool

Recently, a question came
up in the ASP.NET security forums about the lack of a remote membership/role
configuration tool in ASP.NET 2.0.  Being able to remotely manage users is
important in pretty much any site where you have users.  Fortunately, QualityData has stepped in and developed
that plus a little more in their Membership
Manager Control
.  Apparently works in AJAX and exposes an API as
well.  At $59, it’s pretty darn cheap, too.

If you need a free license (beyond the trial version) for your needs, they
also have a link-for-license program.  Add a link like Asp.Net Server Controls by Quality Data,
and let them know.

Protecting Files in Shared Hosting Environment

In a previous post (http://aspadvice.com/blogs/rjdudley/archive/2005/05/21/2595.aspx), I showed one way to protect files from direct download by configuring IIS.  In a shared hosting environment, this usually isn’t possible, so I’ll show another way to protect these files.


First, a little review.  Out of the box, only certain file types are mapped to the ASP.NET ISAPI filter.  These include .aspx, .ascx, .ashx, etc.  If these pages are requested, IIS hands off processing to the ASP.NET filter.  Otherwise, IIS serves the file directly (or hands it off to another ISAPI, as necessary).  There are also a number of file types mapped to ASP.NET that are protected by the HttpForbiddenHandler.  This is an HTTP Handler that prevents direct download of files of the specified type.  If you examine the <httpHandler> section of your machine.config file, you’ll see the list.


It would seem that simply adding a file extension to the <httpHandler> section and have the HttpForbiddenHandler prevent its download would be great, but unfortunately, you need to also configure IIS for any new extention you want handled, which is the problem in the first place.


However, there’s a little trick we can use.  Let’s say you have a file named “protected.pdf” which you wish to prevent direct download of.  You can rename this file to “protected.pdf.resources”, and since the .resources extension is already forbidden, users will not be able to download this file directly even if they can guess the file name.  Try it and see.


When it comes time to allow users to download the file, you can use the System.Web.HttpResponse.WriteFile method to send the file to the user.  You may have to clear the response and add a content type to make this all work correctly, as shown:



strFileName = Server.MapPath(“protected.pdf.resources”)

strFileId = StrFileName.ToString.Replace(“.resources”, “”)


With HttpContext.Current.Response


   .ClearContent()


   .ClearHeaders()


   .ContentType = “application/pdf”


   .AddHeader(“Content-Disposition”, “inline; filename=” & strFileId)


   .WriteFile(strFileName)


   .End()


End With


Know When To Quit

Today’s NewsFactor Network showed up in my inbox, and the lead story was:



————————————————————


1. E-Mail Authentication: Holy Grail or Lost Cause?


————————————————————


Originally, e-mail was never designed to do anything more than deliver text messages. But added-on features eventually opened gaps that hackers quickly exploited.


See the Full Story:


http://www.newsfactor.com/story.xhtml?story_id=37643


I’m cool with the second sentence.  How many viruses propogate via e-mail in some form or another.  Not to mention web bugs tracking live addresses, etc.  This was followed by one of their “most popular articles”:



————————————————————


4. Novell Aims To Push E-Mail Further


————————————————————


Novell’s open source Hula Project will bring new applications to e- mail, predicted David Patrick, vice president of open source platforms at Novell.


See the Full Story:


http://www.newsfactor.com/story.xhtml?story_id=37743


————————————————————


So, Novell wants to add more features to something already rendered a little insecure by extending it?  Anyone else see a problem with that?  Which begs the question, “how long until something evil propogates via podcast”?  Let’s face it, there are all sorts of known holes in WMP.  RSS started out as a text-only information transmission system, and it’s been extended with enclosures to include images (couple trojans already hide in malformed JPGs) as well as MP3 or WMA.  I’m guessing it’s only a matter of time.

A Simple Passphrase Generator – Latest ASP Alliance Article Published

My latest ASP Alliance article has been published: A Simple Passphrase Generator



Passphrases have been receiving more and more attention as part of a strong security policy. When building secure web-based applications, assigning random passphrases to new user accounts can be a bit of a challenge. In this article, we’ll build a simple passphrase generator that can be used as part of a web application to set or reset user passphrases.


The sample project is in VB.NET / VS 2003.