Most developers know that you should never store passwords in plain text, and know that they should be hashed. Only slightly fewer know that they should be stored utilizing a “salt” to append to the password to prevent time trade-off attacks (1). Fewer know what hash function they should use, and it seems lately, the majority don’t know that they shouldn’t just be salting and hashing at all, and instead should be using a key derivation function such as PBKDF2, or scrypt. We will be exploring utilizing PBKDF2, but scrypt is a perfectly viable option. The current draft of the new NIST guidelines says (2):
Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Secrets SHALL be hashed with a salt value using an approved hash function such as PBKDF2 as described in [SP800-132]. The salt…
I recently installed SharePoint 2010 on my client machine to investigate some of the BCS and Search features for a client project. SharePoint 2010 now allows a standalone installation on Vista x64 SP1 or higher and Windows 7 x64, which is a major improvement over the remote development nightmare that existed with MOSS 2007.
For instructions on the proper method for installation, read the following MSDN article : Setting Up the Development Environment for SharePoint 2010 on Windows Vista, Windows 7, and Windows Server 2008
Description of Issue
After installation, I was repeatedly unable to log onto SharePoint using Firefox, repeatedly getting “Access Denied” errors after typing in my domain account and password. (Note: This was the same account I used for installation).
Switching to IE allowed me access to the central administration site, however there were many functions and features that were unavailable…