I have followed this course from the beginning its very much impressive. Can you please create a video for Role based authorization which will allow specific controllers/components are for specific roles/users. Either in Angular or in Webapi. please
Hey Sandeep, If a hacker gets hold of the database, he can still do a brute-force attack, right? He can take the most common passwords and hash them using an algorithm and the salt (passwordkey) stored in the database. Then he can compare the resulting hash with the value in the database. If a match is found, then the hacker knows the password to use. granted, the hacker's job is a difficult because he doesn't know which algorithm we used and there are millions of commonly used passwords.
Yes, hacker can do that but if he is able to get the hash of one password then also he is not able to identify if any other user has same password in hacked database, because every hash have different salt key. One more thing we can do is, we can store one more key at a safer place and use that as well in salt for hashing. In that way even if database is hacked than also hacker will need other key to get the correct hash. The SHA-* family less safe for bruteforce attacks hash passwords, one can calculate about 3Giga SHA-512 values per second with common hardware now a days, that makes brute forcing way too easy for SHA-* Now a days more secure options available, one can use a dedicated password hash function like Argon2, BCrypt, or PDKDF2. All of these functions offer a cost factor to control the necessary time to calculate a simple password, the higher the cost factor, the more hashing rounds are done, that will make it more safe. I thin BCrypt is good choice for a .net application as it is available inbuilt, but I have not tried it yet. Let me know if you find something..
Thanks for the video! .. one thing I am not sure about though is that you're still passing the username/password in plain text when calling login/register? shouldn't they be encrypted so people can't listen on the connection?
I am getting this error "Unable to create an object of type 'DataContext'. For the different patterns supported at design time, see go.microsoft.com/fwlink/?linkid=851728" on adding migrations while running this command dotnet ef migrations add UpdateUserForPasswordEncryption. The buils was succeded but migration is not bein.g added to the migration folder.
After this changes, register works but when i try login, it returns '500 internal server error (object referance not set to an instance of object). How do i fix it?
@@StudyMash i registered another user and tried to login with new userName and password, then issue solved and another token generated. Why i got this error still i don't know, maybe cause of token's lifetimes or something like that. Thank you for fast answer sir
I m big fan of your teaching,
I have followed this course from the beginning its very much impressive.
Can you please create a video for Role based authorization which will allow specific controllers/components are for specific roles/users. Either in Angular or in Webapi. please
Yes, I will do that
very helpful, thanks 🙏
Thank you for the content
sir why did u not add extra fields for registration in web api...if added please provide the link for that video
If the source code is leaked and they have the db, does this mean they can easily decrypt all of the passwords?
great tutorial, thx for that
Thank you so much sir, this series is really helpful.
Glad to hear it is helpful, don't forget to subscribe and press bell icon to get instant alerts when I upload new video
Hey Sandeep, If a hacker gets hold of the database, he can still do a brute-force attack, right? He can take the most common passwords and hash them using an algorithm and the salt (passwordkey) stored in the database. Then he can compare the resulting hash with the value in the database. If a match is found, then the hacker knows the password to use. granted, the hacker's job is a difficult because he doesn't know which algorithm we used and there are millions of commonly used passwords.
Yes, hacker can do that but if he is able to get the hash of one password then also he is not able to identify if any other user has same password in hacked database, because every hash have different salt key.
One more thing we can do is, we can store one more key at a safer place and use that as well in salt for hashing. In that way even if database is hacked than also hacker will need other key to get the correct hash.
The SHA-* family less safe for bruteforce attacks hash passwords, one can calculate about 3Giga SHA-512 values per second with common hardware now a days, that makes brute forcing way too easy for SHA-*
Now a days more secure options available, one can use a dedicated password hash function like Argon2, BCrypt, or PDKDF2. All of these functions offer a cost factor to control the necessary time to calculate a simple password, the higher the cost factor, the more hashing rounds are done, that will make it more safe. I thin BCrypt is good choice for a .net application as it is available inbuilt, but I have not tried it yet.
Let me know if you find something..
Thanks for the video! .. one thing I am not sure about though is that you're still passing the username/password in plain text when calling login/register? shouldn't they be encrypted so people can't listen on the connection?
Or is the plan to make it HTTPS intead of HTTP? in which case, I believe it is ok to send plain text as HTTPS will encrypt eveything anyway?
Yes, in upcoming videos I have shown how to enable https on this project when I deployed it on azure and IIS
i have a question -how to use store procedure in your Web Api code.please advice
Good question, I had no plan to use stored procedure in this tutorial, but now I will make a video on that as well.
How to make salt in client side before entering in the server ?
Sir, I was doing back-end on visual studio and it works but when I run using dotnet run, there seems to be an issue.
What issue you are getting, can you provide more details.
@@StudyMash Actually, I figured it out. I used https instead of http. But in visual studio it works with https
Ok great
Can you please show how to containerize the whole application?
Yes, I have plan to containerize it
I am getting this error "Unable to create an object of type 'DataContext'. For the different patterns supported at design time, see go.microsoft.com/fwlink/?linkid=851728" on adding migrations while running this command dotnet ef migrations add UpdateUserForPasswordEncryption. The buils was succeded but migration is not bein.g added to the migration folder.
After this changes, register works but when i try login, it returns '500 internal server error (object referance not set to an instance of object). How do i fix it?
If you can share github link to your code, I can suggest where the issue is.
@@StudyMash i registered another user and tried to login with new userName and password, then issue solved and another token generated. Why i got this error still i don't know, maybe cause of token's lifetimes or something like that. Thank you for fast answer sir
How to decrypt password with hashing and salting ?
Hashing is one way encryption, you can decrypt the same