Do you use MD5 or SHA1 to store passwords? Think they are secure? Think again.

While generic hashing algorithms are certainly better than storing passwords in plain text, it’s still not as secure as it should be. Users place great trust in us to ensure that their credentials will be secure and treated with the utmost respect; it’s our responsibility to live up to these expectations.

With the simplicity and speed of these general purpose algorithms, it’s possible to generate hashes looking for collisions (or even the original value) extremely quickly. It’s this speed that introduces the fatal flaw; with a database dump containing MD5 hashed passwords, with a fairly small investment most could be recovered within a very small amount of time (mere days for a large database).

Many people are moving to bcrypt as a solution. In Coda Hale’s “How To Safely Store A Password” he covers this topic in more detail, complete with useful stats and links to implementations in languages from C# to Ruby (even Erlang is represented).

If you are looking for ways to better protect your user’s data, take a closer look at your password storage.

It looks like the core Silverlight 3 tools are now available:

• Microsoft Expression Blend 3 + SketchFlow RC
• Microsoft® Silverlight™ 3 SDK
• Microsoft® Silverlight™ 3 Tools for Visual Studio 2008 SP1
• Deep Zoom Composer

Though the tools needed for development seem to be public, I’ve yet to see the end-user run-time; though I imagine we’ll see that in the release anticipated for tomorrow.

Time to have some fun.

Update: Client run-time is now available.

The great Lutz Roeder has released a new version of the .NET Reflector. From what I’ve seen; this version is extremely nice. This has long been a required tool of any serious developer. With this update Reflector has reinforced its position in the list of tools you just can’t live without.

Scott Hanselman provides a great review; check it out for the details on what’s new.

For those that have been looking forward to seeing the final result of Microsoft’s attempt at AJAX, your wait is over. ASP.NET AJAX 1.0 has been released.

I’ve not had time to test this yet, but it sure looks like it has promise. I’ll be playing with this one soon, I’ve got a couple new projects this might be perfect for.

Xceed has released version 1.0 of their new WPF based DataGrid, and best of all, made it free! If you’ve missed the news, you might want to check this out.

An update to the Visual Studio PowerToy Pack Installer has just been announced. This handy application wraps up many of the PowerToys so that they can be installed from one easy to use UI. With so many of these Power Toys available, this installer is great to have; otherwise finding and installing them can be a slow and painful experience.

If you’re a power user, or fancy yourself a power tweaker, this one might just be for you.