How to avoid storing secrets in the source code?

  • .NET
  • Security
There are lots of example of projects which contains secrets in the source code. A secret can be a password, a server configuration, tokens to connect to a server, a certificate, etc. You can search for "Remove password" on GitHub to find more than 400k commits. These secrets may be used for deploying the application or connecting to an external service. Note: If you discover a password in your code,…[read more]

Implementing Two-factor authentication in an ASP.NET Core application

  • .NET
  • Security
There are 3 common ways to authenticate someone: Something you know, such as a login/password or security questions Something you have, such as a smart card, a cell phone, an ID, etc. Something you are, such as a fingerprint or other biometric methods In the previous posts, I've written a lot about authentication using passwords (Something you know). If you want to add more security, you must ask for a…[read more]

Automatically log in a user on a website using the Credential Management API?

  • .NET
  • Security
  • Web
Many websites require users to log in to access their resources. From a user point of view, the login process can be complicated, and it's even more complex when there are multiple ways to authenticate: login/password or using a social provider (Microsoft, Google, Facebook, etc.). For instance, some users enter their Google credentials in the Username/Password form instead of clicking the Google button,…[read more]

How to prompt for a password on Windows?

  • .NET
  • Security
In the previous post, we discovered how to store a password on Windows using the Credential Manager. Today, we'll see the other part of the API with allows the user to enter their password. This API allows asking for a username/password for a console application or a GUI application. Optionally, they can save the password in the Credential Manager, so the next time the passwords are read directly from the…[read more]

How to implement Password reset feature in a web application?

  • Security
Users are humans, so they have memory problems like everyone. Thus, they happen to forget their password from time to time. The purpose of this article is to show how to give them back access to your application. If it's not clear, the post is about what to do when a user clicks on the submit button on this page: ❌ Resend password by email If you are considering this solution, you are not storing…[read more]

How to store a password in a web application?

  • .NET
  • Security
A password is a very sensitive piece of information. It allows a user to authenticate on an application. You should not store it like any other data. We often see news indicating that passwords have leaked. This has happened to LinkedIn, Adobe, 500px and unfortunately many more. So you have to make sure that such incidents cannot happen in your applications. Indeed, you are responsible for your data. In…[read more]