For my Next Project (web + electron + ionic),
I want to use angularjs but don't want to use nodejs and for database.
I am thinking about pouchdb or google-firebase.
Now security is an issue for my database. like i have to connect with my database using angular because i will not use nodejs.
So i have to put my username and password on connection.
will my username and password secure ?
I am thinking that anyone who press Ctrl+u or from dev tool can see my user access.
Any suggestions ?
try angularfire2 library for firebase using this library no needed nodejs or any backend server. it's directly communicate with firebase.here is library
https://github.com/angular/angularfire2
I am afraid that you can't do that, you need some server side application to connect with the database in a secure way.
There is some gold rules you must always follow:
There is no security from the client side.
Never trust on information that comes from the client, even if you think it's validated.
For the security purpose, you can go with firebase auth
these are many secure login methods like
-FirebaseUI
-Password-Based
-Facebook
-Google.. etc
reference link- https://firebase.google.com/docs/auth/web/start
If you are planning to use firebase for the huge database then one thing keep in mind firebase is not designed for the huge database it's limited.You can't compare firebase to SQL n MySQL etc databases. Firebase specifically designed for small databases.
If you grant write access for your chat clients by one hardcoded credentials (really easily get known) - you are on very dangerous side: one can quickly fill your DB with tons of garbage. There is no harm to hardcode read credentials (in order to separate access to different server DBs, i.e.) but for write ones you definitely need registration, which means Node or something. It will handle new users creation and give you ability to block unwanted client behaviour, just in case.
Related
I have a Two Factor Authentication system where I need to store the Auto generated Code and the requested time in some form storage for retrieving it later purpose. I need to know what is the best way to store these sensitive information.
I was planning to use Session to store those sensitive information. When I googled, In some places people are telling its not recommended to use session to store sensitive information. Can any body explain why so.
Any suggestion to this will be highly appreciated.
Thanks
In your user database is fine, it's a web app so the database should be completely hidden from end users (if properly managed).
The rest is just making sure your actual application is secure -- ie no SQL injections, no buffer overflows, proper workflows that all pass through your server side authentication engine etc.
If you are worried about your information they should be encrypted before store them in database, for more secure propose you can use HSM (Hardware security module) to do encryption and decryption for you or even you can rely on OTP (one-time password) for two factor authentication.
I am trying to make a web app that uses PlayFramework2 and Neo4j Graph Database.My web app going to include user system.Users can add their visited places as nodes and traverse.My question; is it okay for keeping passwords and other personal information in nodes for authentication or using table based another database is better for login to web app.If all work can be done using Neo4j, what should be the structure of the user system in graph database for security.I am newbie at these jobs so, sorry if it is a absurd question.
Of course you can use neo4j to store user information.
As on all databases, be careful with some data, don't store password without a hash/crypt method !
If your datas are sensible, you should well configure your neo4j instance to not allow remote connection, and why not implement some user role for connection.
See here : http://docs.neo4j.org/chunked/stable/security-server.html
You should either use one of the modern auth mechanisms like OAuth2 or at least strongly hash and salt the passwords with a long salt.
I am working on a WP7 application. This WP7 application will interact with some web services that I have created. I do not want other applications interacting with these web services. The reason why is because I do not want them stealing my data. With that in mind, here is what I'm currently doing:
Connecting to web services via HTTPS
Making my users initially login to the application
Passing the users username / password with each web service interaction
At this time, I don't see what is stopping a malicious developer from creating a username / password combo and using that account in their application to interact with my web services. How do I really lock this thing down?
Thanks!
As a start towards a more secure system you should stop storing the password and sending it over the wire with each request (even if you're using SSL).
If you must pass it with each request, store a salted hash of the password and use that instead.
I'm using a multi layered approach to this problem. I recommend thinking creatively and using a variety of methods to validate that requests are coming from devices you expect requests to come from.
Alternatively, if there is any merit in your scenario, open up your api to 3rd party developers and make this work toward your objectives.
If you do decide to store a key in your app, don't store RAW text but instead declare a byte array of the UTF8 values, this won't be as easy to read.
You can then handshake with your service using a salted hash of the key the first time the app is run, the service hands out another key for the device to actually use day-to-day.
The phone should have an almost accurate time, so you can recalculate the key each day or hour. You can also revoke the key at the server end for just that device.
This API will be useful in ensuring you can blacklist a device permanently.
DeviceExtendedProperties.GetValue(“DeviceUniqueId”).ToByte();
I've not looked into symmetric encryption by you might even be able to use the above unique ID as a private key.
I think the key to success is that first hand-shake, and ensuring that is not snooped. If it's a really important system, then don't use any of these ideas since rolling your own encryption is always flimsy to anyone with serious intent - use well-known methods and read up.
Luke
You could introduce an "Authorized Application ID" feature where the application sends its name or identifier within each HTTP request body. Then on the server side you can verify the application's identity (e.g. store the authorized app ID's in a table). The application ID would be encrypted within the HTTP(S) body.
This would also give you the option of pushing out new application ID's in updated versions of the WP7 application if you wanted to get rid of an older application ID. You'd also be able support new applications on difference devices or platforms in the future.
You may want to look at this
http://channel9.msdn.com/Blogs/Jafa/Windows-Phone-7-Trade-Me-Developer-Starter-Kit
I am using Entity Framework and have the same model on many databases and servers. I want to set my connection string at runtime based on the logged in user. I am currently overriding CreateObjectContext() in my DomainService and setting the connection string there. This works great, but I'm concerned with the lack of security. For example, in my DomainService, I have an invoke method called SetConnectionString() where I pass in the connections string each time I need a new Entity. This is being done from the DomainContext (client side). Since I am using SQL Integrated Security, I am concerned that someone could manipulate the connection string on the clinet and get access to a database that they are not authorized to use.
What is the most secure way to dynamically set the connection string for the domain entity I want to use at runtime?
I do have the database name and server settings in a database that I could look up from the DomainService if I passed in my project id or some other piece of information, but I am then right back to the same issue - someone could easily spoof this info.
Ideas??
-Scott
Hopefully my answer is relevant as the same security issues are faced by flash developers...
The only way to make this really secure ("this" being database connections from your client side code) is to make each user only have read-only access to their data in the database.
As you are realizing, there is no way to stop the user from monitoring/modifying data that you are sending back to the server. Even if you encrypt the communication, the user still has access to the code and in the case of flash, source code due to trivial decompilation.
I am not a DB developer, but I do security audits of stuff like you are asking often, so the following advice could be wrong, but I just googled, and it seems like maybe you could use views to restrict users (sets of credentials) to specific information.
If not, this article seems relevant to what you want:
http://technet.microsoft.com/en-us/library/cc966395.aspx
What about using the ASP.NET membership framework? Tie the user login with a Login call in the framework to make sure the user an authorized user. Add a "RequiresAuthentication" attribute to each of the functions you want to protect in your domain service.
Here are more details on using ASP.NET membership with Silverlight: WCF RIA Services - Authentication, Roles, and Profiles
i'm developing a .net winforms desktop application intended to be run at several bank's branches as a backup application whenever the main one (a web application) is unavailable due to connection issues with the bank's central node. The branchs themselves don't count with any enterprise services besides a SQL-Server database. For that reason, the application should be able to connect directly to the SQL-Server. My problem arises when I have to provide the application with a password to connect to the database:
1) Storing the password in clear text in a app.config file or similar is not an option (the customer requires the password to be encrypted)
2) Storing the password encrypted in a configuration file leads to the need of having an encryption key locally available. The encryption key could be just hardcoded in the application's code, but it would be easily readable by using a .net-decompiler or similar.
3) Using a custom algorithm to encrypt/decrypt wouldn't work either due to the same reasons as 2).
4) Integrated security is not supported by the bank
Additionally, the customers requires that they should be able to change the password in one location (within a branch) without the need to go from one computer to another updating config files (that rules out the possibility of using the machine's key to encrypt the password in individual machine's config files like asp.net does)
Would you provide any other approach or suggestion to deal with this problem?
I would appreciate any help.
Thanks in advance,
Bernabé
I don't think that encyrpting the password by any means is going to solve your problem. If the user has to send the password to server, and the password is located on the box, then by definition the user running the application must have access to the password and be able to decrypt it. Otherwise, you wouldn't be able to authenticate them. This means that there will always be a way for the user to get at the password, regardless of where you store it.
I can think of 2 ways that could possibly work, but I'm afraid they're not exactly what you're looking for.
Remove the requirement of having the
user send the password to the server
by using some sort of local proxy
(for example using a WCF windows
service) to take your winform
requests and then send them on your
behalf to the DB server. If you
install the service using an account
different from the user's account,
then you can secure the password by
any of the means mentioned in the other
answers. They key here is to make
sure the application user does not
have access to the resources that
the service account needs to decrypt
the password.
Don't store the password in the web config. Assign each user a different user account and password at the database level and have them type it in when they log in.
You could use the protected configuration built into .Net. See Encrypting Configuration Information Using Protected Configuration in the MSDN docs. One of it's raison d'etres was to encrypt data such as connection strings in config files.
You could
To use DPAPI to store a encryption/decryption key securely: How To: Use DPAPI to Encrypt and Decrypt Data
To install a SQL Server Compact Edition (or another small database) into your workstations and to synchronize data when your web application comes online again.
To ask for help inside that institution, as other people could have solved that problem and could to help you.
Definitely agree with the above regarding DPAPI. Microsoft's Enterprise Library makes this an absolute breeze too, so I would consider looking there first.