-1

I am going to build a website and need to mange users entering the site.

I want to understand a bit about User Management.

Question 1

I need to hash my password, I was thinking about Sha256, but Sha512 is safer, do you think I should go for safer?

Question 2

When a user is registered to the system, I give him a UserId key in the sql, which is going in order, 1, 2, 3 and so on.

When logging into the system the user gets Session["Userid"] = The number from sql. (Which can be 1, 2, 5555) and so on.

Is that a safe way to do that?

Question 3

If I want to do a new table of user details is that fine that when a user is registered and gets a Userid key I will just add another one to the User details table?

Community
  • 1
  • 1
  • Since you've tagged c#, look at the variants of [ASP.Net Membership](https://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.140).aspx), which will give you this functionality out of the box. [Hashing here](http://stackoverflow.com/q/1137368/314291). Another option is [Membership Reboot](https://github.com/brockallen/BrockAllen.MembershipReboot/) – StuartLC May 23 '15 at 17:08
  • Ty for the comment, but i am into building one. :) –  May 23 '15 at 17:10

1 Answers1

0

Re : Question 1

From the OWASP cheat sheet

Do not worry about output block size (i.e. SHA-256 vs. SHA-512).

Howvever, the number of hash iterations used is important, to slow down the rate of an attack. According to OWASP this will be about 240k iterations in 2016. Just be aware to limit the maximum size of a password lest of denial of service attacks against your server.

Question 2: No, UserId must also be hard to guess. If it is easy to get a legitimate UserId in your system, an attacker has an undue foothold. I would suggest a Guid here.

Question 3 : I don't fully understand your question. But use techniques like phone / email verification, honeypots, or Captchas to prevent bulk cold registration of users to your system, otherwise you will eventually run out of disk space.

However, the problem of user management and authentication is faced by most .Net websites, and has been solved many times before. I would recommend that you look at out of the box implementations before rolling your own:

Community
  • 1
  • 1
StuartLC
  • 104,537
  • 17
  • 209
  • 285
  • Thanks for a great answer. few question to follow up., so you think guid, thats fine i will do that. , i didnt understand about 1. can you tell me sha256 or 512 ? Thanks mate! –  May 23 '15 at 17:57
  • Main point is we shouldn't be building custom implementations, rather use [standards like PBKDF2](http://stackoverflow.com/a/20659101/314291). Here are some [links](http://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512) [link](https://community.emc.com/community/edn/rsashare/blog/2010/11/01/sha-2-algorithms-when-sha-512-is-more-secure-and-faster). Also note that [SHA 512 can be truncated to 256 bits](http://en.wikipedia.org/wiki/SHA-2) and [here](http://crypto.stackexchange.com/questions/3153/sha-256-vs-any-256-bits-of-sha-512-which-is-more-secure) – StuartLC May 24 '15 at 05:57
  • Why would i not just hash it with SHA256 and salt? is that really not recommnd?| –  May 24 '15 at 07:36
  • PBKDF2 takes a lot longer to compute so it becomes a lot harder to brute force the password list. For instance a GPU rig capable of computing around 10 billion SHA-256 hashes in a second will only be able to do around 1.5 million PBKDF2 operations a second. – Bell Mar 19 '16 at 19:48