Tempo Maintenance, Thursday August 23rd at 9 PM EDT

2012-08-21 18:05:35 -0400

This Thursday night, August 23rd at 9pm EDT, Tempo and other web systems will be temporarily unavailable while we perform critical patch updates to ensure the stability of our services.

This maintenance outage will also affect the Tempo API, the the Connect website, and the site for Codebook.

Down time could last up to 1 hour, however we hope it will be completed much more quickly. If you need to get in touch with us for any reason, please don’t hesitate.

Tempo Maintenance, Thursday August 16th at 9 PM EDT

2012-08-15 12:31:16 -0400

This Thursday night, August 16th at 9pm EDT, Tempo and other web systems will be temporarily unavailable while we perform critical patch updates to ensure the stability of our services.

This maintenance outage will also affect the Tempo API, the the Connect website, and the site for Codebook.

Down time could last up to 1 hour, however we hope it will be completed much more quickly. If you need to get in touch with us for any reason, please don’t hesitate.

Strip for Android Preview

2012-07-25 15:15:56 -0400

We mentioned awhile back that we were busy working on a port of Strip for the Android platform. Development has been coming along smoothly and we launched a beta testing program to get feedback from some of our most enthusiastic users which has been very successful. Below you can see what some of the interface looks like:

If you are interested in using the same technology that was identified in the most resilient application to password cracking at the BlackHatEU conference on the Android platform be sure to sign up here to be notified when Strip for Android is released.

Tempo Maintenance, Thursday July 19th at 9 PM EDT

2012-07-17 12:08:50 -0400

This Thursday night, July 19th at 9pm EDT, Tempo and other web systems will be temporarily unavailable while we perform critical patch updates to ensure the stability of our services.

This maintenance outage will also affect the Tempo API, the the Connect website, and the site for Codebook.

Down time could last up to 1 hour (though we hope it will be completed more quickly). If you need to get in touch with us for any reason, please don’t hesitate.

Secure Password Hashing for ASP.NET in One Line

2012-07-03 11:38:35 -0400

Following up to my earlier post about improving the security of the ASP.NET SqlMembershipProvider, and to Troy Hunt's excellently thorough article Our Password Hashing Has No Clothes and further discussions with @thorsheim, @blowdart, and @klingsen (all of whom I recommend following), I took a second look at how to use the algorithms in the Zetetic.Security package without mucking about with machine.config and the .NET Global Assembly Cache, which really complicate the deployment picture.

The bad news is that the .NET base class libraries only read "name-to-algorithm" mappings from machine.config.  I was pretty surprised to see this, but it's plain as day in System.Security.Cryptography.CryptoConfig.OpenCryptoConfig().

The good news is that adding to the HashAlgorithms an application can use is super, super easy.  Start by grabbing the Zetetic.Security package from NuGet; next, one line of code will do the trick (in Global.asax's Application_Start, for example):

System.Security.Cryptography.CryptoConfig.AddAlgorithm( typeof(Zetetic.Security.Pbkdf2Hash), "pbkdf2_local");

Adjust the membership settings in Web.config as per usual:

<membership hashAlgorithmType="pbkdf2_local"><!-- other stuff --><membership>

Voila, your ASP.NET application is now using a much, much stronger password hash algorithm than the (really rather embarrassing) defaults of SHA1 and SHA256.