debugcsharpModerate
C# PasswordService class
Viewed 0 times
classpasswordservicestackoverflow
Problem
I am new to C# and develop a configurable
Right now there are the following options:
My questions:
-
Is the structure fine as it is?
-
Are the thrown Exceptions and it's message well chosen?
-
What do you think about the generate function yet?
-
Would you add or adjust the options?
-
Are the comments c#/xml valid?
-
How can I improve the password algorithm?
-
Did I miss something else?
```
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace PasswordGenerator
{
namespace Utility
{
namespace Service
{
///
/// This is a configurable password generator.
///
class PasswordService
{
string sAlphaCharacters;
string sNumericCharacters;
string sNonAlphanumericCharacters;
uint uiNumberOfAlphaCharacters;
uint uiNumberOfNumericCharacters;
uint uiNumberOfNonAlphanumericCharacters;
///
/// Initializes class with common configuration.
///
public PasswordService()
{
this.SAlphaCharacters = "abcdefghijklmnopqrstuwvxyABCDEFGHIJKLMNOPQRSTUWVXYYZ";
this.SNumericCharacters = "0123456789";
this.SNonAlphanumericCharacters = "!$%&()[]{}=?#";
this.UiNumberOfAlphaCharacters = 6;
this.UiNumberOfNumericCharacters = 6;
this.UiNumberOfNonAlphanumericCharacters = 3;
}
// Accessor & modifier
public string SAlphaCharacters
{
get
{
return sAlphaCharacters;
}
set
{
PasswordService class. As the code works the next step is to improve the code.Right now there are the following options:
- Set alpha characters and the number of alpha characters that has to be in the password.
- Set numeric and the number of numeric characters that has to be in the password.
- Set non alphanumeric and the number of non alphanumeric characters that has to be in the password.
My questions:
-
Is the structure fine as it is?
-
Are the thrown Exceptions and it's message well chosen?
-
What do you think about the generate function yet?
-
Would you add or adjust the options?
-
Are the comments c#/xml valid?
-
How can I improve the password algorithm?
-
Did I miss something else?
```
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace PasswordGenerator
{
namespace Utility
{
namespace Service
{
///
/// This is a configurable password generator.
///
class PasswordService
{
string sAlphaCharacters;
string sNumericCharacters;
string sNonAlphanumericCharacters;
uint uiNumberOfAlphaCharacters;
uint uiNumberOfNumericCharacters;
uint uiNumberOfNonAlphanumericCharacters;
///
/// Initializes class with common configuration.
///
public PasswordService()
{
this.SAlphaCharacters = "abcdefghijklmnopqrstuwvxyABCDEFGHIJKLMNOPQRSTUWVXYYZ";
this.SNumericCharacters = "0123456789";
this.SNonAlphanumericCharacters = "!$%&()[]{}=?#";
this.UiNumberOfAlphaCharacters = 6;
this.UiNumberOfNumericCharacters = 6;
this.UiNumberOfNonAlphanumericCharacters = 3;
}
// Accessor & modifier
public string SAlphaCharacters
{
get
{
return sAlphaCharacters;
}
set
{
Solution
You have asked a lot of questions and omitted the most important question. Is the security system I have developed secure against attacks?
Absolutely it is not. There is an enormous security problem here.
Oh, but wait, it gets worse.
What happens if you try to generate two passwords within the same millisecond? You get the same password both times. You are not re-using the Random instance, which means that it picks a random seed based on the current time. Which means that if I am trying to attack the system I can try to generate a password at the same time as another user, and then I have their password.
If this is an exercise, well, you learned something today: always use crypto strength randomness in security systems. If this is not an exercise then you need to hire a consultant who specializes in security systems. Do not roll your own security system; you will do it wrong.
Absolutely it is not. There is an enormous security problem here.
Random is pseudo-random, not crypto-strength random, and that means that it is easy for an attacker to make good guesses about the output of this algorithm. In particular if the attacker has a password generated by this algorithm then they have a high likelihood of being able to determine some or all future passwords.Oh, but wait, it gets worse.
What happens if you try to generate two passwords within the same millisecond? You get the same password both times. You are not re-using the Random instance, which means that it picks a random seed based on the current time. Which means that if I am trying to attack the system I can try to generate a password at the same time as another user, and then I have their password.
If this is an exercise, well, you learned something today: always use crypto strength randomness in security systems. If this is not an exercise then you need to hire a consultant who specializes in security systems. Do not roll your own security system; you will do it wrong.
Context
StackExchange Code Review Q#91644, answer score: 13
Revisions (0)
No revisions yet.