Cracking More Password Hashes With Patterns

Cracking More Password Hashes with Patterns
ABSTRACT
It is a common mistake of application developers to store user passwords within
databases as plaintext or only as their unsalted hash values. Many real-life successful hacking
attempts that enabled attackers to get unauthorized access to sensitive database entries including
user passwords have been experienced in the past. Seizing password hashes, attackers perform
brute-force, dictionary, or rainbow-table attacks to reveal plaintext passwords from their hashes.
Dictionary attacks are very fast for cracking hashes but their success rate is not sufficient. In this
paper, we propose a novel method for improving dictionary attacks. Our method exploits several
password patterns that are commonly preferred by users when trying to choose a complex and
strong password. In order to analyze and show success rates of our developed method, we
performed cracking tests on real-life leaked password hashes using both a traditional dictionary
and our pattern-based dictionary. We observed that our pattern-based method is superior for
cracking password hashes.
1.INTRODUCTION
Authentication is one of the most important requirements for information security. There
exist various methods for authentication based on what we know (e.g. passwords, PINs), what
we have (e.g. security hardware tokens) and who we are (e.g. biometric fingerprints). Among the
existing methods, password-based systems are easier to implement and therefore the most
frequently used method for authentication. Being very critical for security, passwords are often
targeted during cyber-attacks as well. An attacker that hacks a system and reveals user passwords
stored within the database gets unauthorized access to accounts of all users. In the past many
enterprise companies and organizations were victims of such attacks. Attackers use frequently
SQL injection vulnerabilities that exist within applications in order to access database tables.
They send arbitrary SQL queries to retrieve passwords and other sensitive data from tables and
manipulate stored data, even by using automated tools such as sqlmap or Havij. Considering this
fact, developers must never store passwords in plaintext within databases. Developers mostly
know the fact that they should store hash values of passwords instead of plaintext. However, it is
also a critical security weakness if the hash value of a password is calculated and stored without
appending per-user unique salt value to the password before hashing. In a classical scenario, a
user chooses a password by a registration process. The hash value (md5, sha1, sha256 etc.) of the
password is calculated on the backend server and this calculated hash value is stored in the
database.
This implementation is very insecure too. Even though hash functions are one-way
functions, attackers can perform brute force, dictionary or rainbow-table attacks in order to
reveal input values (i.e. plaintext password) from the given output values (i.e. hash value). By
brute-force attacks, the hash value of each possible input value is calculated and compared with
the given hash value to crack. By dictionary attacks, large dictionary files containing thousands
or millions of possible passwords are utilized. Given a hash value to crack, an attacker calculates
the hash value of each plaintext word from the dictionary line by line and compares the
calculated hash values with the given hash value. If they are matched, the plaintext password is
thus revealed. On the other hand, a very large set of pre-computed hash tables containing hash
values and their corresponding plaintext values are used by rainbow-table attacks. Given a hash
value to crack, an attacker checks if the given hash value exists within the pre-computed lookup
table. If it exists within the table, the plaintext password is found out. If we compare brute-force,
dictionary and rainbow-table attacks, they all have pros and cons. Brute-force attacks find out the
plaintext definitely in the end but they are very time consuming. Dictionary attacks are fast but
the success rate is not sufficient. Rainbow-table attacks are fast and successful at cracking but
they require having a very big disk storage capacity. They are especially non-practical if a salt
value is used for password hashes. In this paper, we propose a new method for increasing success
rates of dictionary attacks. For our method we analyzed leaked real-life user passwords and
identified several patterns which are commonly chosen by many users to create a complex and
strong password from a dictionary word. For example, a dot (“.”), an exclamation mark (“!”) or
“123” are often appended at the end of a dictionary word. Similarly, a dictionary word is
repeated two times (e.g. kingking) or three times (e.g. kingkingking).We developed a software
tool, namely pbp-generator (pattern based password generator), that implements our identified
patterns and creates a new pattern-based large dictionary file from a given dictionary file. We
generated a pattern-based dictionary file with ca. 2.3 billion passwords to crack password hashes
belonging to fifteen different datasets which consist of real-life leaked password hashes. Digital
forensic investigators are involved with the analysis of crime cases. They often come across
password protection during investigation. They need to crack passwords either in order to access
a particular user account or to unlock encrypted or otherwise obfuscated digital evidence. Our
pattern-based method would help forensic investigators for more efficient password cracking. It
is important to note that security of hash functions is not within the scope of this paper. If a user
chooses a weak password with a certain pattern, even a very secure hash function cannot prevent
attackers from cracking password hashes. Patterns have no negative effect on computed hash
values. In conclusion, the focus of this paper is the analysis of user-chosen plaintext passwords
rather than the formal security model of hash functions.
2.LITERATURE SURVEY
Rockyou.com web portal was the target of a very critical cyber-attack in December 2009 [3].
The hacker had found SQL injection vulnerability in the rockyou website and got access to its
32.6 million user passwords. Worse still, the passwords were stored as plaintext in the database.
The leaked passwords without usernames were published in the Internet. In the past, security
researchers did not have such a large real-life resource for password analysis. Therefore, the
published 32.6 million real-life passwords have become a very valuable data for security experts
and researchers.
A. Password Complexity Rules
It is always suggested that a secure password must not consist of only lowercase letters. Instead,
it must contain lowercase and uppercase letters, digits and special symbol characters. A
password fulfilling these complexity requirements would provide high entropy [13] and therefore
should be more resistant against password guessing attacks. Today, enterprise companies and
organizations define such password rules within their security policies and try to enforce their
employees and customers to choose complex passwords. On the other hand, it is questionable if a
password fulfilling the complexity rules including minimum length can be considered as a strong
password. Let’s take the following password “P4s5w0rd1.” into consideration. This password
has the length of ten characters and contains five lowercase letters, one uppercase letter, four
digits and one special symbol. This password is considered and accepted in general as a strong
password according to many password policies of enterprise companies and organizations. But
we believe, this is an insecure password and can be easily cracked by using our pattern-based
attack. The password “P4s5w0rd1.” contains three different common patterns. The first pattern is
capitalization of the TABLE I THE TOP TEN LIST OF REGULAR EXPRESSIONS FOR
PASSWORDS WITH THE LENGTH BETWEEN 2 AND 5 first letter. The second pattern is
replacing certain letters with numbers (a→4, o→0, s→5) and the third pattern is appending “1.”
to the password. Since people are bad at remembering complicated passwords and have to use
complex passwords due to password policies, they tend to create “strong” passwords by using
such patterns. However, these common patterns jeopardize security of the passwords. If many
passwords share the same patterns, they can be identified and then misused to guess passwords
successfully with the help of automated tools.
B. Rockyou Pattern Analysis Based on Regular Expressions
Skullsecurity [14] provides various leaked real-life password dictionaries to download. We
utilized their special “rockyou” password list that includes additionally the total count for each
unique password.
In the first step, we analyzed the rockyou passwords based on their regular expression
representations. We created different Top 10 lists which consist of the most common regular
expressions and their hit counts according to the different password lengths as shown in Table I,
II and III
The Top 10 lists showed us some interesting facts. Most of the passwords are composed of
appending numbers to letters. Therefore, we decided to continue with the analysis of dual and
triple combinations of different character groups as explained in the following section. Another
interesting fact is that the top one regular expression of passwords with the length of ten
characters is ˆ[0-9]{10}$. This shows us that passwords belonging to this group consist of only
numbers with the length of ten digits. We examined such passwords manually and concluded
that these are mostly telephone numbers.
C. Rockyou Pattern Analysis Based on
Dual and Triple Combinations
After analyzing the most common regular expressions representations, we analyzed the
frequency of dual and triple combinations of different character groups (i.e. alpha, digit TABLE
IV DUAL COMBINATION OF CHARACTER GROUPS WITH EXAMPLES and special
symbol). In this analysis, [:alpha:] represents any alpha character between a to z and between A
to Z. [:digit:] represents numbers between 0 and 9. [:symbol:] represents the following
punctuation characters: . , " ’ ? ! ; : # $ % & ( ) * + - / < > = @ [ ] ˆ _ { } |.
By the dual combination analysis, the total numbers of [:alpha:]+[:digit:], [:alpha:]+[:symbol:]
and [:digit:]+[:symbol:] combinations and their reverse order combinations were analyzed. This
analysis showed us that circa 10 million rockyou passwords (30%) are in the form of [:alpha:] +
[:digit:] combination, which means users mostly prefer appending a number to a dictionary word
to create their passwords. Based on these results, we decided to examine [:alpha:]+[:digit:]
combinations further to find more specific patterns. In the Table IV, the total counts of all dual
combinations and their examples from the rockyou list are shown.
By the triple combination analysis, the total numbers of [:alpha:]+[:digit:]+[:symbol:], [:alpha:]+
[:symbol:]+ [:digit:] and [:digit:]+[:symbol:]+[:alpha:] combinations and their reverse order
combinations were analyzed. Compared with the dual combinations, the triple combinations are
not very much preferred by the rockyou users. The most frequently used triple combinations are
[:alpha:]+[:symbol:]+[:digit:] with 0.57% and [:alpha:]+[:digit:]+[:symbol:] with 0.25%.
Analyzing these combinations further we identified that digits and special symbols are together
(e.g. “#1”, “123.”, “*1” etc.) appended to dictionary words to create passwords. The total counts
of all triple combinations and their examples from the rockyou list are shown in Table V.
In addition to dual and triple combination analysis, we checked the frequencies of the
punctuation characters. This analysis showed that certain symbols are more frequent than the
others. The most frequently used punctuation character is point (.) with 0.7%. Underscore (_) has
the second place with 0.58% and exclamation mark (!) has the third place with 0.55%. The total
counts of each punctuation character in the password list are given in the Table VI. These
frequencies were taken into consideration in our further analysis.
3.SYSTEM ANALYSIS
FEASIBILITY STUDY
Feasibility study is a process which defines exactly what a project is and what strategic issues
need to be considered to assess its feasibility, or likelihood of succeeding. Feasibility studies are
useful both when starting a new business, and identifying a new opportunity for an existing
business. Ideally, the feasibility study process involves making rational decisions about a number
of enduring characteristics of a project, including:
 Technical feasibility- do we’ have the technology’? If not, can we get it?
 Operational feasibility- do we have the resources to build the system? Will the system be
acceptable? Will people use it?
 Economic feasibility, technical feasibility, schedule feasibility, and operational
feasibility- are the benefits greater than the costs?
TECHNICAL FEASIBILITY
Technical feasibility is concerned with the existing computer system (Hardware,
Software etc.) and to what extend it can support the proposed addition. For example, if particular
software will work only in a computer with a higher configuration, an additional hardware is
required. This involves financial considerations and if the budget is a serious constraint, then the
proposal will be considered not feasible.
OPERATIONAL FEASIBILITY
Operational feasibility is a measure of how well a proposed system solves the problems,
and takes advantages of the opportunities identified during scope definition and how it satisfies
the requirements identified in the requirements identified in the requirements analysis phase of
system development.
ECONOMIC FEASIBILITY
Economic analysis is the most frequently used method for evaluating the effectiveness of
a candidate system. More commonly known as cost/ benefit analysis, the procedure is to
determine the benefits and savings that are expected from a candidate system and compare them
with costs. If benefits outweigh costs, then the decision is made to design and implement the
system.
EXISTING SYSTEM:
In the existing methods, password-based systems are easier to implement and therefore
the most frequently used method for authentication. Being very critical for security, passwords
are often targeted during cyber-attacks as well. An attacker that hacks a system and reveals user
passwords stored within the database gets unauthorized access to accounts of all users. In the
past many enterprise companies and organizations were victims of such attacks.
Attackers use frequently SQL injection vulnerabilities that exist within applications in
order to access database tables. They send arbitrary SQL queries to retrieve passwords and other
sensitive data from tables and manipulate stored data, even by using automated tools such as
sqlmap or Havij.
Disadvantages:
Brute Force: The most time-consuming type of attack is a brute-force attack, which tries
every possible combination of uppercase and lowercase letters, numbers, and symbols.
Wire Sniffing: The majority of Sniffer tools are ideally suited to sniff data in hub
environment. These tools are also known as passive sniffers as they passively wait for data to be
sent before capturing the information. User account passwords are commonly hashed or
encrypted when sent on the network to prevent unauthorized access and use. In such cases hacker
uses his special tools to crack password.
PROPOSED SYSTEM:
We propose a new method for increasing success rates of dictionary attacks. For our
method we analyzed leaked real-life user passwords and identified several patterns which are
commonly chosen by many users to create a complex and strong password from a dictionary
word. We developed a software tool, namely pbp-generator (pattern based password generator),
that implements our identified patterns and creates a new pattern-based large dictionary file from
a given dictionary file. We generated a pattern-based dictionary file with ca. 2.3 billion
passwords to crack password hashes belonging to fifteen different datasets which consist of real-
life leaked password hashes
Advantages:
 Our pattern-based method would help forensic investigators for more efficient password
cracking.
 Our Proposed Method used in Banking Transactions for high password security.
 This method provides protection against online guessing attacks and related denial-of-
service attacks, including attacks by ex-users, and other security benefits.
4.SYSTEM SPECIFICATION
Hardware Requirements:
 System : Pentium IV 2.4 GHz.

 Hard Disk : 40 GB.
 Floppy Drive : 1.44 Mb.
 Monitor : 14’ Colour Monitor.
 Mouse : Optical Mouse.
 Ram : 512 Mb.
Software Requirements:
 Operating system : Windows 7 Ultimate.

 Coding Language : ASP.Net with C#
 Front-End : Visual Studio 2010 Professional.
 Data Base : SQL Server 2008.
SOFTWARE DESCRIPTION
ABOUT THE SOFTWARE
What is .NET?
Many people reckon that it's Microsoft's way of controlling the Internet, which is
false. .NET is Microsoft's strategy of software that provides services to people any time, any
place, on any device. An accurate definition of .NET is, it's an XML Web Services platform
which allows us to build rich .NET applications, which allows users to interact with the Internet
using wide range of smart devices (tablet devices, pocket PC's, web phones etc), which allows to
build and integrate Web Services .
What is .NET Built On?

.NET is built on the Windows Server System to take major advantage of the OS and
which comes with a host of different servers which allows for building, deploying, managing and
maintaining Web-based solutions. The Windows Server System is designed with performance as
priority and it provides scalability, reliability, and manageability for the global, Web-enabled
enterprise.Since the initial announcement of the .NET Framework, it's taken on many new and
different meanings to different people.
To a developer, .NET means a great environment for creating robust distributed

applications. To an IT manager, .NET means simpler deployment of applications to end users,
tighter security, and simpler management.
To a CTO or CIO, .NET means happier developers using state-of-the-art development

technologies and a smaller bottom line.To understand why all these statements are true, you need
to get a grip on what the .NET Framework consists of, and how it's truly a revolutionary step
forward for application architecture, development, and deployment.
I. NET Framework
Now that you are familiar with the major goals of the .NET Framework, let's briefly
examine its architecture. As you can see in Figure 1-2, the .NET Framework sits on top of the
operating system, which can be a few different flavors of Windows and consists of a number of
components .NET is essentially a system application that runs on Windows.
Conceptually, the CLR and the JVM are similar in that they are both runtime
infrastructures that abstract the underlying platform differences. However, while the JVM
officially supports only the Java language, the CLR supports any language that can be
represented in itsCommon Intermediate Language (CIL). The JVM executes bytecode, so it can,
in principle, support many languages, too.
Another conceptual difference between the two infrastructures is that Java code runs on
any platform with a JVM, whereas .NET code runs only on platforms that support the CLR. In
April, 2003, the International Organization for Standardization and the International
Electrotechnical Committee (ISO/IEC) recognized a functional subset of the CLR, known as the
Common Language Interface (CLI), as an international standard.
This development, initiated by Microsoft and developed by ECMA International, a
European standards organization, opens the way for third parties to implement their own versions
of the CLR on other platforms.
The layer on top of the CLR is a set of framework base classes. This set of classes is
similar to the set of classes found in STL, MFC, ATL, or Java. These classes support
rudimentary input and output functionality, string manipulation, security management, network
communications, thread management, text management, reflection functionality, collections
functionality, as well as other functions.
On top of the framework base classes is a set of classes that extend the base classes to
support data management and XML manipulation. These classes, called ADO.NET, support
persistent data management—data that is stored on backend databases. Alongside the data
classes, the .NET Framework supports a number of classes to let you manipulate XML data and
perform XML searching and XML translations.
Classes in three different technologies (including web services, Web Forms, and
Windows Forms) extend the framework base classes and the data and XML classes. Web
services include a number of classes that support the development of lightweight distributed
components, which work even in the face of firewalls and NAT software. These components
support plug-and-play across the Internet, because web services employ standard HTTP and
SOAP.
Web Forms, the key technology behind ASP.NET, include a number of classes that allow
you to rapidly develop webGraphical User Interface (GUI) applications. If you're currently
developing web applications with Visual Interdev, you can think of Web Forms as a facility that
allows you to develop web GUIs.
Windows Forms support a set of classes that allow you to develop nativeWindows GUI
applications. You can think of these classes collectively as a much better version of the MFC in
C++ because they support easier and more powerful GUI development and provide a common,
consistent interface that can be used in all languages.
Features OF. Net
Microsoft .NET is a set of Microsoft software technologies for rapidly building
and integrating XML Web services, Microsoft Windows-based applications, and Web solutions.
The .NET Framework is a language-neutral platform for writing programs that can easily and
securely interoperate. There’s no language barrier with .NET: there are numerous languages
available to the developer including Managed C++, C#, Visual Basic and Java Script. The .NET
framework provides the foundation for components to interact seamlessly, whether locally or
remotely on different platforms. It standardizes common data types and communications
protocols so that components created in different languages can easily interoperate.
“.NET” is also the collective name given to various software components built
upon the .NET platform. These will be both products (Visual Studio.NET and Windows.NET
Server, for instance) and services (like Passport, .NET My Services, and so on).
II. The Common Language Runtime

At the heart of the .NET Framework is the common language runtime. The common
language runtime is responsible for providing the execution environment that code written in
a .NET language runs under.
The common language runtime can be compared to the Visual Basic 6 runtime, except that
the common language runtime is designed to handle all .NET languages, not just one, as the
Visual Basic 6 runtime did for Visual Basic 6. The following list describes some of the benefits
the common language runtime gives you:
 Automatic memory management
 Cross-language debugging
 Cross-language exception handling
 Full support for component versioning
 Access to legacy COM components
 XCOPY deployment
 Robust security model
You might expect all those features, but this has never been possible using Microsoft
development tools.Since the initial announcement of the .NET Framework, it's taken on many
new and different meanings to different people. To a developer, .NET means a great
environment for creating robust distributed applications.
To an IT manager, .NET means simpler deployment of applications to end users, tighter
security, and simpler management. To a CTO or CIO, .NET means happier developers using
state-of-the-art development technologies and a smaller bottom line.
To understand why all these statements are true, you need to get a grip on what the .NET
Framework consists of, and how it's truly a revolutionary step forward for application
architecture, development, and deployment.
III. The .NET Framework Class Library
The second most. But to write the code, you need a foundation of available classes to
access the resources of the operating system, database server, or file server. The FCL is made up
of a hierarchy of namespaces that expose classes, structures, interfaces, enumerations, and
delegates that give you access to these resources. The namespaces are logically defined by
functionality. For example, the System.Data namespace contains all the functionality available
to accessing databases. This namespace is further broken down into System.Data.SqlClient,
which exposes functionality specific to SQL Server, and System.Data.OleDb, which exposes
specific functionality for accessing OLEDB data sources. The bounds of a namespace aren't
necessarily defined by specific assemblies within the FCL; rather, they're focused on
functionality and logical grouping. In total, there are more than 20,000 classes in the FCL, all
logically grouped in a hierarchical manner. Figure 1.8 shows where the FCL fits into the .NET
Framework and the logical grouping of namespaces.
To use an FCL class in your application, you use theImports statement in Visual
Basic .NET or theusing statement in C#. When you reference a namespace in Visual Basic .NET
or C#, you also get the convenience of auto-complete and auto-list members when you access the
objects' types using Visual Studio .NET. This makes it very easy to determine what types are
available for each class in the namespace you're using. As you'll see over the next several weeks,
it's very easy to start coding in Visual Studio .NET.
The Structure of a .NET Application
To understand how the common language runtime manages code execution, you must
examine the structure of a .NET application. The primary unit of a .NET application is the
assembly. An assembly is a self-describing collection of code, resources, and metadata. The
assembly manifest contains information about what is contained within the assembly. The
assembly manifest provides:
 Identity information, such as the assembly’s name and version number

 A list of all types exposed by the assembly
 A list of other assemblies required by the assembly
 A list of code access security instructions, including permissions required by the
assembly and permissions to be denied the assembly
Each assembly has one and only one assembly manifest, and it contains all the description
information for the assembly. However, the assembly manifest can be contained in its own file or
within one of the assembly’s modules. An assembly contains one or more modules. A module
contains the code that makes up your application or library, and it contains metadata that
describes that code. When you compile a project into an assembly, your code is converted from
high-level code to IL. Because all managed code is first converted to IL code, applications
written in different languages can easily interact. For example, one developer might write an
application in Visual C# that accesses a DLL in Visual Basic .NET. Both resources will be
converted to IL modules before being executed, thus avoiding any language-incompatibility
issues.
The Structure of a .NET Application
To understand how the common language runtime manages code execution, you must
examine the structure of a .NET application. The primary unit of a .NET application is the
assembly. An assembly is a self-describing collection of code, resources, and metadata. The
assembly manifest contains information about what is contained within the assembly. The
assembly manifest provides:
 Identity information, such as the assembly’s name and version number
 A list of all types exposed by the assembly
 A list of other assemblies required by the assembly
 A list of code access security instructions, including permissions required by the
assembly and permissions to be denied the assembly
Each assembly has one and only one assembly manifest, and it contains all the description
information for the assembly. However, the assembly manifest can be contained in its own file or
within one of the assembly’s modules.
An assembly contains one or more modules. A module contains the code that makes up
your application or library, and it contains metadata that describes that code. When you compile
a project into an assembly, your code is converted from high-level code to IL. Because all
managed code is first converted to IL code, applications written in different languages can easily
interact. For example, one developer might write an application in Visual C# that accesses a
DLL in Visual Basic .NET. Both resources will be converted to IL modules before being
executed, thus avoiding any language-incompatibility issues.
Each module also contains a number of types. Types are templates that describe a set of
data encapsulation and functionality. There are two kinds of types: reference types (classes) and
value types (structures). These types are discussed in greater detail in Lesson 2 of this chapter.
Each type is described to the common language runtime in the assembly manifest. A type can
contain fields, properties, and methods, each of which should be related to a common
functionality.
For example, you might have a class that represents a bank account. It contains fields,
properties, and methods related to the functions needed to implement a bank account. A field
represents storage of a particular type of data. One field might store the name of an account
holder, for example. Properties are similar to fields, but properties usually provide some kind of
validation when data is set or retrieved. You might have a property that represents an account
balance.
When an attempt is made to change the value, the property can check to see if the
attempted change is greater than a predetermined limit. If the value is greater than the limit, the
property does not allow the change. Methods represent behavior, such as actions taken on data
stored within the class or changes to the user interface. Continuing with the bank account
example, you might have a Transfer method that transfers a balance from a checking account to a
savings account, or an Alert method that warns users when their balances fall below a
predetermined level.
Compilation and Execution of a .NET Application
When you compile a .NET application, it is not compiled to binary machine code; rather,
it is converted to IL. This is the form that your deployed application takes—one or more
assemblies consisting of executable files and DLL files in IL form. At least one of these
assemblies will contain an executable file that has been designated as the entry point for the
application.
When execution of your program begins, the first assembly is loaded into memory. At
this point, the common language runtime examines the assembly manifest and determines the
requirements to run the program. It examines security permissions requested by the assembly and
compares them with the system’s security policy. If the system’s security policy does not allow
the requested permissions, the application will not run. If the application passes the system’s
security policy, the common language runtime executes the code. It creates a process for the
application to run in and begins application execution.
When execution starts, the first bit of code that needs to be executed is loaded into
memory and compiled into native binary code from IL by the common language runtime’s Just-
In-Time (JIT) compiler. Once compiled, the code is executed and stored in memory as native
code. Thus, each portion of code is compiled only once when an application executes. Whenever
program execution branches to code that has not yet run, the JIT compiler compiles it ahead of
execution and stores it in memory as binary code. This way, application performance is
maximized because only the parts of a program that are executed are compiled.
The .NET Framework base class library contains the base classes that provide many of
the services and objects you need when writing your applications. The class library is organized
into namespaces. A namespace is a logical grouping of types that perform related functions. For
example, the System .Windows Forms namespace contains all the types that make up Windows
forms and the controls used in those forms.
Namespaces are logical groupings of related classes. The namespaces in the .NET base
class library are organized hierarchically. The root of the .NET Framework is the System
namespace. Other namespaces can be accessed with the period operator. A typical namespace
construction appears as follows:
System
System.Data
System.Data.SQLClient
The first example refers to the System namespace. The second refers to the System.Data
namespace. The third example refers to the System.Data.SQLClient namespace.
Table -introduces some of the more commonly used .NET base class namespaces.
Table-.Representative .NET Namespaces
Namespace Description
This namespace is the root for many of the low-level types required by
the .NET Framework. It is the root for primitive data types as well,
System
and it is the root for all the other namespaces in the .NET base class
library.
This namespace contains classes that represent a variety of different
container types, such as Array List, Sorted List, Queue, and Stack.
System. Collections
You also can find abstract classes, such as Collection Base, which are
useful for implementing your own collection functionality.
This namespace contains classes involved in component creation and
System.ComponentModel
containment, such as attributes, type converters, and license providers.
Table-.Representative .NET Namespaces
Namespace Description
This namespace contains classes required for database access and
System. Data
manipulations, as well as additional namespaces used for data access.
This namespace contains a set of classes that are shared by the .NET
System.Data.Common
managed data providers.
This namespace contains classes that make up the managed data
System.Data.OleDb
provider for OLE DB data access.
This namespace contains classes that are optimized for interacting with
System.Data.SQLClient
Microsoft SQL Server.
This namespace exposes GDI+ functionality and provides classes that
System.Drawing
facilitate graphics rendering.
System.IO In this namespace, you will find types for handling file system I/O.
This namespace is home to common mathematics functions such as
System. Math
extracting roots and trigonometry.
This namespace provides support for obtaining information and
System. Reflection
dynamic creation of types at runtime.
This namespace is home to types dealing with permissions,
System. Security
cryptography, and code access security.
This namespace contains classes that facilitate the implementation of
System. Threading
multithreaded applications.
This namespace contains types involved in creating standard Windows
System.Windows.Forms applications. Classes that represent forms and controls reside here as
well.
The namespace names are self-descriptive by design. Straightforward names make

the .NET Framework easy to use and allow you to rapidly familiarize yourself with its contents.
Introduction to Object-Oriented Programming

Programming in the .NET Framework environment is done with objects. Objects are
programmatic constructs that represent packages of related data and functionality. Objects are
self-contained and expose specific functionality to the rest of the application environment
without detailing the inner workings of the object itself. Objects are created from a template
called a class. The .NET base class library provides a set of classes from which you can create
objects in your applications.
Objects, Members, and Abstraction
An object is a programmatic construct that represents something. In the real world,

objects are cars, bicycles, laptop computers, and so on. Each of these items exposes specific
functionality and has specific properties. In your application, an object might be a form, a control
such as a button, a database connection, or any of a number of other constructs. Each object is a
complete functional unit, and contains all of the data and exposes all of the functionality required
to fulfill its purpose. The ability of programmatic objects to represent real-world objects is called
abstraction.
ADO.NET Data Architecture
Data access in ADO.NET relies on two entities: the DataSet, which stores data on the
local machine, and the Data Provider, a set of components that mediates interaction between the
program and the database.
The Dataset
The DataSet is a disconnected, in-memory representation of data. It can be thought of as

a local copy of the relevant portions of a database. Data can be loaded into a DataSet from any
valid data source, such as a SQL Server database, a Microsoft Access database, or an XML file.
The DataSet persists in memory, and the data therein can be manipulated and updated
independent of the database. When appropriate, the DataSet can then act as a template for
updating the central database.
The DataSet object contains a collection of zero or more DataTable objects, each of
which is an in-memory representation of a single table. The structure of a particular DataTable is
defined by the DataColumns collection, which enumerates the columns in a particular table, and
the Constraint collection, which enumerates any constraints on the table. Together, these two
collections make up the table schema. A DataTable also contains a DataRows collection, which
contains the actual data in the DataSet.
The DataSet contains a DataRelations collection. A DataRelation object allows you to

create associations between rows in one table and rows in another table. The DataRelations
collection enumerates a set of DataRelation objects that define the relationships between tables
in the DataSet. For example, consider a DataSet that contains two related tables: an Employees
table and a Projects table. In the Employees table, each employee is represented only once and is
identified by a unique EmployeeID field. In the Projects table, an employee in charge of a project
is identified by the EmployeeID field, but can appear more than once if that employee is in
charge of multiple projects. This is an example of a one-to-many relationship; you would use a
DataRelation object to define this relationship.Additionally, a DataSet contains an
ExtendedProperties collection, which is used to store custom information about the DataSet
The Data Provider
The link to the database is created and maintained by a data provider. A data provider is not a
single component, rather it is a set of related components that work together to provide data in an
efficient, performance-driven manner. The first version of the Microsoft .NET Framework
shipped with two data providers: the SQL Server .NET Data Provider, designed specifically to
work with SQL Server 7 or later, and the OleDb .NET Data Provider, which connects with other
types of databases. Microsoft Visual Studio .NET 2003 added two more data providers: the
ODBC Data Provider and the Oracle Data Provider. Each data provider consists of versions of
the following generic component classes:
 The Connection object provides the connection to the database.

 The Command object executes a command against a data source. It can execute non-
query commands, such as INSERT, UPDATE, or DELETE, or return a DataReader with
the results of a SELECT command.
 The Data Reader object provides a forward-only, read-only, connected recordset.
 The Data Adapter object populates a disconnected DataSet or DataTable with data and
performs updates.
Data access in ADO.NET is facilitated as follows: a Connection object establishes a

connection between the application and the database. This connection can be accessed directly
by a Command object or by a DataAdapter object.
The Command object provides direct execution of a command to the database. If the
command returns more than a single value, the Command object returns a DataReader to provide
the data. This data can be directly processed by application logic. Alternatively, you can use the
DataAdapter to fill a DataSet object. Updates to the database can be achieved through the
Command object or through the DataAdapter.The generic classes that make up the data providers
are summarized in the following sections.
REPORT:
A report is used to vies and print information from the database. The report can ground
records into many levels and compute totals and average by checking values from many
records at once. Also the report is attractive and distinctive because we have control over the
size and appearance of it.
MACRO:
A macro is a set of actions. Each action in macros does something. Such as opening a form or
printing a report .We write macros to automate the common tasks the work easy and save the
time.
C# (pronounced C Sharp) is a multi-paradigm programming language that encompasses

functional, imperative, generic, object-oriented (class-based), and component-oriented
programming disciplines. It was developed by Microsoft as part of the .NET initiative and later
approved as a standard by ECMA (ECMA-334) and ISO (ISO/IEC 23270). C# is one of the 44
programming languages supported by the .NET Framework's Common Language Runtime.
C# is intended to be a simple, modern, general-purpose, object-oriented programming language.

Anders Hejlsberg, the designer of Delphi, leads the team which is developing C#. It has an
object-oriented syntax based on C++ and is heavily influenced by other programming languages
such as Delphi and Java. It was initially named Cool, which stood for "C like Object Oriented
Language". However, in July 2000, when Microsoft made the project public, the name of the
programming language was given as C#. The most recent version of the language is C# 3.0
which was released in conjunction with the .NET Framework 3.5 in 2007. The next proposed
version, C# 4.0, is in development.
History:-
In 1996, Sun Microsystems released the Java programming language with Microsoft soon
purchasing a license to implement it in their operating system. Java was originally meant to be a
platform independent language, but Microsoft, in their implementation, broke their license
agreement and made a few changes that would essentially inhibit Java's platform-independent
capabilities. Sun filed a lawsuit and Microsoft settled, deciding to create their own version of a
partially compiled, partially interpreted object-oriented programming language with syntax
closely related to that of C++.
During the development of .NET, the class libraries were originally written in a
language/compiler called Simple Managed C (SMC). In January 1999, Anders Hejlsberg formed
a team to build a new language at the time called Cool, which stood for "C like Object Oriented
Language".Microsoft had considered keeping the name "Cool" as the final name of the language,
but chose not to do so for trademark reasons. By the time the .NET project was publicly
announced at the July 2000 Professional DevelopersConference, the language had been renamed
C#, and the class libraries and ASP.NET runtime had been ported to C#.
C#'s principal designer and lead architect at Microsoft is Anders Hejlsberg, who was previously
involved with the design of Visual J++, BorlandDelphi, and Turbo Pascal. In interviews and
technical papers he has stated that flaws in most major programming languages (e.g. C++, Java,
Delphi, and Smalltalk) drove the fundamentals of the Common Language Runtime (CLR),
which, in turn, drove the design of the C# programming language itself. Some argue that C#
shares roots in other languages.
Features of C#:-
By design, C# is the programming language that most directly reflects the underlying Common
Language Infrastructure (CLI). Most of C#'s intrinsic types correspond to value-types
implemented by the CLI framework. However, the C# language specification does not state the
code generation requirements of the compiler: that is, it does not state that a C# compiler must
target a Common Language Runtime (CLR), or generate Common Intermediate Language (CIL),
or generate any other specific format. Theoretically, a C# compiler could generate machine code
like traditional compilers of C++ or FORTRAN; in practice, all existing C# implementations
target CIL.
Some notable C# distinguishing features are:
 There are no global variables or functions. All methods and members must be declared
within classes. It is possible, however, to use static methods/variables within public
classes instead of global variables/functions.
 Local variables cannot shadow variables of the enclosing block, unlike C and C++.
Variable shadowing is often considered confusing by C++ texts.
 C# supports a strict Boolean data type, bool. Statements that take conditions, such as
while and if, require an expression of a Boolean type. While C++ also has a Boolean
type, it can be freely converted to and from integers, and expressions such as if(a) require
only that a is convertible to bool, allowing a to be an int, or a pointer. C# disallows this
"integer meaning true or false" approach on the grounds that forcing programmers to use
expressions that return exactly bool can prevent certain types of programming mistakes
such as if (a = b) (use of = instead of ==).
 In C#, memory address pointers can only be used within blocks specifically marked as
unsafe, and programs with unsafe code need appropriate permissions to run. Most object
access is done through safe object references, which are always either pointing to a valid,
existing object, or have the well-defined null value; a reference to a garbage-collected
object, or to random block of memory, is impossible to obtain. An unsafe pointer can
point to an instance of a value-type, array, string, or a block of memory allocated on a
stack. Code that is not marked as unsafe can still store and manipulate pointers through
the System.IntPtr type, but cannot dereference them.
 Managed memory cannot be explicitly freed, but is automatically garbage collected.
Garbage collection addresses memory leaks. C# also provides direct support for
deterministic finalization with the using statement (supporting the Resource Acquisition
Is Initialization idiom).
 Multiple inheritance is not supported, although a class can implement any number of
interfaces. This was a design decision by the language's lead architect to avoid
complication, avoid dependency hell and simplify architectural requirements throughout
CLI.
 C# is more type safe than C++. The only implicit conversions by default are those which
are considered safe, such as widening of integers and conversion from a derived type to a
base type. This is enforced at compile-time, during JIT, and, in some cases, at runtime.
There are no implicit conversions between Booleans and integers, nor between
enumeration members and integers (except for literal 0, which can be implicitly
converted to any enumerated type). Any user-defined conversion must be explicitly
marked as explicit or implicit, unlike C++ copy constructors (which are implicit by
default) and conversion operators (which are always implicit).
 Enumeration members are placed in their own scope.
 C# provides syntactic sugar for a common pattern of a pair of methods, accessor (getter)
and mutator (setter) encapsulating operations on a single attribute of a class, in form of
properties.
 Full type reflection and discovery is available.
 C# currently (as of 3 June 2008) has 77 reserved words.
Common Type system (CTS)
C# has a unified type system. This unified type system is called Common Type System (CTS).
A unified type system implies that all types, including primitives such as integers, are subclasses
of the System. Object class. For example, every type inherits a To String () method. For
performance reasons, primitive types (and value types in general) are internally allocated on the
stack.
IV. Categories of data types
CTS separate data types into two categories:
 Value types
 Reference types
Value types are plain aggregations of data. Instances of value types do not have referential
identity or referential comparison semantics - equality and inequality comparisons for value
types compare the actual data values within the instances, unless the corresponding operators are
overloaded. Value types are derived from System.ValueType, always have a default value, and
can always be created and copied. Some other limitations on value types are that they cannot
derive from each other (but can implement interfaces) and cannot have a default (parameter less)
constructor. Examples of value types are some primitive types, such as int (a signed 32-bit
integer), float (a 32-bit IEEE floating-point number), char (a 16-bit Unicode code point), and
System.DateTime (identifies a specific point in time with millisecond precision).
In contrast, reference types have the notion of referential identity - each instance of reference
type is inherently distinct from every other instance, even if the data within both instances is the
same. This is reflected in default equality and inequality comparisons for reference types, which
test for referential rather than structural equality, unless the corresponding operators are
overloaded (such as the case for System. String). In general, it is not always possible to create an
instance of a reference type, nor to copy an existing instance, or perform a value comparison on
two existing instances, though specific reference types can provide such services by exposing a
public constructor or implementing a corresponding interface (such as ICloneable or I
Comparable). Examples of reference types are object (the ultimate base class for all other C#
classes), System. String (a string of Unicode characters), and System. Array (a base class for all
C# arrays).
Both type categories are extensible with user-defined types.
V. Boxing and unboxing Boxing is the operation of converting a value of a value type
into a value of a corresponding reference type.
ACCESS PRIVIEGES
IIS provides several new access levels. The following values can set the type of access
allowed to specific directories:
o Read
o Write
o Script
o Execute
o Log Access
o Directory Browsing.
ActiveX
ActiveX is a specification develops by Microsoft that allows ordinary Windows programs

to be run within a Web page. ActiveX programs can be written in languages such as Visual Basic
and they are complied before being placed on the Web server.
ActiveX application, called controls, are downloaded and executed by the Web
browser, like Java applets. Unlike Java applets, controls can be installed permanently when they
are downloaded; eliminating the need to download them again. ActiveX’s main advantage is that
it can do just about anything.
This can also be a disadvantage:
Several enterprising programmers have already used ActiveX to bring exciting new
capabilities to Web page, such as “the Web page that turns off your computer” and “the Web
page that formats disk drive”.
Fortunately, ActiveX includes a signature feature that identifies the source of the control
and prevents controls from being modified. While this won’t prevent a control from damaging
system, we can specify which sources of controls we trust.
ActiveX has two main disadvantages
It isn’t as easy to program as scripting language or Java.
ActiveX is proprietary.
It works only in Microsoft Internet Explorer and only Windows platforms.
ADO.NET
ADO.NET provides consistent access to data sources such as Microsoft SQL Server, as
well as data sources exposed via OLE DB and XML. Data-sharing consumer applications can
use ADO.NET to connect to these data sources and retrieve, manipulate, and update data.
ADO.NET cleanly factors data access from data manipulation into discrete components
that can be used separately or in tandem. ADO.NET includes .NET data providers for connecting
to a database, executing commands, and retrieving results. Those results are either processed
directly, or placed in an ADO.NET Dataset object in order to be exposed to the user in an ad-hoc
manner, combined with data from multiple sources, or remote between tiers. The ADO.NET
Dataset object can also be used independently of a .NET data provider to manage data local to
the application or sourced from XML.
Why ADO.NET?
As application development has evolved, new applications have become loosely coupled
based on the Web application model. More and more of today's applications use XML to encode
data to be passed over network connections. Web applications use HTTP as the fabric for
communication between tiers, and therefore must explicitly handle maintaining state between
requests. This new model is very different from the connected, tightly coupled style of
programming that characterized the client/server era, where a connection was held open for the
duration of the program's lifetime and no special handling of state was required.
In designing tools and technologies to meet the needs of today's developer, Microsoft
recognized that an entirely new programming model for data access was needed, one that is built
upon the .NET Framework. Building on the .NET Framework ensured that the data access
technology would be uniform—components would share a common type system, design
patterns, and naming conventions.
ADO.NET was designed to meet the needs of this new programming model:
disconnected data architecture, tight integration with XML, common data representation with the
ability to combine data from multiple and varied data sources, and optimized facilities for
interacting with a database, all native to the .NET Framework.
Leverage Current ADO Knowledge
Microsoft's design for ADO.NET addresses many of the requirements of today's

application development model. At the same time, the programming model stays as similar as
possible to ADO, so current ADO developers do not have to start from scratch in learning a
brand new data access technology. ADO.NET is an intrinsic part of the .NET Framework
without seeming completely foreign to the ADO programmer.
ADO.NET coexists with ADO. While most new .NET applications will be written using
ADO.NET, ADO remains available to the .NET programmer through .NET COM
interoperability services. For more information about the similarities and the differences between
ADO.NET and ADO.
ADO.NET provides first-class support for the disconnected, n-tier programming

environment for which many new applications are written. The concept of working with a
disconnected set of data has become a focal point in the programming model. The ADO.NET
solution for n-tier programming is the Dataset.
XML Support
XML and data access are intimately tied—XML is all about encoding data, and data access is
increasingly becoming all about XML. The .NET Framework does not just support Web
standards—it is built entirely on top of them.
5.SYSTEM DESIGN:-
DATA FLOW DIAGRAM
LEVEL 0:
LEVEL 1:
LEVEL 2:
UML DIAGRAM:
Class Diagram:
Upload Images Register Information

image_name user name Select Image Password
Location password image_name
File_value age Image_byte
Admin_control Uplod_file dob username
Image_type Byte_Value phone_number x_value
Image_url address Y_value
image_type Page_url
Read_Byte() user_type
Image_url() image_database()
Sql_image_File() Sql_function()
Drag and Drop Select Image Password

imagename
username
imagevalue
Drag_value
Select_value
Drag_and_drop_password()
Use case Diagram:

Uploadimage
Register Information
Select Image Password
Drag and Drop
Admin
User
Drag and Drop Select Image
Password
Login Select Image Password
Login Drag and Drop Select Image

Password
Welcome SBI Bank
Sequence diagram:
Admin User Uploadimage Register Select Image Drag and Drop Drag and Drop Select Login Select Login Drag and Drop Welcome SBI
Information Password Image Password Image Password Select Image Password Bank
Select_image
Logout
Register User Type
Image
Drop image
Drop Other Location
Home Page
Login
Select Image Password
SBI Home Page
Logout
Collaboration Diagram:
Select Image 5: Drop image
Password
Drag and
Admin Drop
1: Select_image
4: Image 6: Drop Other Location
Uploadi
2: Logout mage Register
Information
Drag and Drop Select
Image Password
7: Home Page
User 3: Register User Type

8: Login
Login Select Imag

e Password
11: Logout 9: Select Image Password
Welcome Login Drag and Drop

SBI Bank Select Image Password
10: SBI Home Page
SYSTEM ARCHITECTURE
Start
New Register
Home
No
Exit Yes
Login
Admin
Login Select Image
Password
Upload Images Login Drag and Drop Select Image Password
Welcome SBI Bank Register Information
Stop Select Image Password
Drag and Drop Select Image Password
Home
DATABASE DESIGN
New Registration
Registering Image:
Uploading Images by Admin:
Deposit Table:
Transaction History Table:
6.SYSTEM IMPLEMENTATION
MODULES:
1. Pass Points Module.
2. Cued Click Points Module.
3. Persuasive Cued Click- Points Module.
MODULES DESCRIPTION:
Pass Points Module:
Based on Blonder’s original idea, Pass Points (PP) is a click-based graphical password system
where a password consists of an ordered sequence of five click-points on a pixel-based image.
To log in, a user must click within some system-defined tolerance region for each click-point.
The image acts as a cue to help users remember their password click-points.
Cued Click Points Module:
Cued Click Points (CCP) was developed as an alternative click based graphical password
scheme where users select one point per image for five images. The interface displays only one
image at a time; the image is replaced by the next image as soon as a user selects a click point.
The system determines the next image to display based on the user’s click-point on the current
image. The next image displayed to users is based on a deterministic function of the point which
is currently selected. It now presents a one to-one cued recall scenario where each image triggers
the user’s memory of the one click-point on that image. Secondly, if a user enters an incorrect
click-point during login, the next image displayed will also be incorrect. Legitimate users who
see an unrecognized image know that they made an error with their previous click-point.
Conversely, this implicit feedback is not helpful to an attacker who does not know the expected
sequence of images.
Persuasive Cued Click- Points Module:
To address the issue of hotspots, Persuasive Cued Click Points (PCCP) was proposed. As
with CCP, a password consists of five click points, one on each of five images. During password
creation, most of the image is dimmed except for a small view port area that is randomly
positioned on the image. Users must select a click-point within the view port. If they are unable
or unwilling to select a point in the current view port, they may press the Shuffle button to
randomly reposition the view port. The view port guides users to select more random passwords
that are less likely to include hotspots. A user who is determined to reach a certain click-point
may still shuffle until the view port moves to the specific location, but this is a time consuming
and more tedious process.
NORMALIZATION
The basic objective of normalization is to be reducing redundancy which means that
information is to be stored only once. Storing information several times leads to wastage of
storage space and increase in the total size of the data stored.
If a Database is not properly designed it can gives rise to modification anomalies. Modification
anomalies arise when data is added to, changed or deleted from a database table. Similarly, in
traditional databases as well as improperly designed relational databases, data redundancy can be
a problem. These can be eliminated by normalizing a database.
Normalization is the process of breaking down a table into smaller tables. So that each
table deals with a single theme. There are three different kinds of modifications of anomalies and
formulated the first, second and third normal forms (3NF) is considered sufficient for most
practical purposes. It should be considered only after a thorough analysis and complete
understanding of its implications.
FIRST NORMAL FORM (1NF):
This form also called as a “flat file”. Each column should contain data in respect of a
single attributes and no two rows may be identical. To bring a table to First Normal Form,
repeating groups of fields should be identified and moved to another table.
SECOND NORMAL FORM (2NF):
A relation is said to be in 2NF if it is 1NF and non-key attributes are functionality
dependent on the key attributes. A ‘Functional Dependency’ is a relationship among attributes.
One attribute is said to be functionally dependent on another if the value of the first attribute
depends on the value of the second attribute. In the given description flight number and halt code
is the composite key.
THIRD NORMAL FORM (3NF) :
Third Normal Form normalization will be needed where all attributes in a relation tuple are not
functionally dependent only on the key attribute. A transitive dependency is one in which one in
which one attribute depends on second which is turned depends on a third and so on.
7.SYSTEM TESTING
The purpose of testing is to discover errors. Testing is the process of trying to discover
every conceivable fault or weakness in a work product. It provides a way to check the
functionality of components, sub assemblies, assemblies and/or a finished product It is the
process of exercising software with the intent of ensuring that the
Software system meets its requirements and user expectations and does not fail in an
unacceptable manner. There are various types of test. Each test type addresses a specific testing
requirement.
TYPES OF TESTS
Unit testing
Unit testing involves the design of test cases that validate that the internal program logic is
functioning properly, and that program inputs produce valid outputs. All decision branches and
internal code flow should be validated. It is the testing of individual software units of the
application .it is done after the completion of an individual unit before integration. This is a
structural testing, that relies on knowledge of its construction and is invasive. Unit tests perform
basic tests at component level and test a specific business process, application, and/or system
configuration. Unit tests ensure that each unique path of a business process performs accurately
to the documented specifications and contains clearly defined inputs and expected results.
Integration testing
Integration tests are designed to test integrated software components to determine if they
actually run as one program. Testing is event driven and is more concerned with the basic
outcome of screens or fields. Integration tests demonstrate that although the components were
individually satisfaction, as shown by successfully unit testing, the combination of components is
correct and consistent. Integration testing is specifically aimed at exposing the problems that
arise from the combination of components.
Functional test
Functional tests provide systematic demonstrations that functions tested are available as
specified by the business and technical requirements, system documentation, and user manuals.
Functional testing is centered on the following items:
Valid Input : identified classes of valid input must be accepted.
Invalid Input : identified classes of invalid input must be rejected.
Functions : identified functions must be exercised.
Output : identified classes of application outputs must be exercised.
Systems/Procedures: interfacing systems or procedures must be invoked.
Organization and preparation of functional tests is focused on requirements, key functions, or
special test cases. In addition, systematic coverage pertaining to identify Business process flows;
data fields, predefined processes, and successive processes must be considered for testing.
Before functional testing is complete, additional tests are identified and the effective value of
current tests is determined.
System Test
System testing ensures that the entire integrated software system meets requirements. It tests a
configuration to ensure known and predictable results. An example of system testing is the
configuration oriented system integration test. System testing is based on process descriptions
and flows, emphasizing pre-driven process links and integration points
White Box Testing
White Box Testing is a testing in which in which the software tester has knowledge of the inner
workings, structure and language of the software, or at least its purpose. It is purpose. It is used
to test areas that cannot be reached from a black box level.
Black Box Testing
Black Box Testing is testing the software without any knowledge of the inner workings,
structure or language of the module being tested. Black box tests, as most other kinds of tests,
must be written from a definitive source document, such as specification or requirements
document, such as specification or requirements document. It is a testing in which the software
under test is treated, as a black box .you cannot “see” into it. The test provides inputs and
responds to outputs without considering how the software works.
6.1 Unit Testing:
Unit testing is usually conducted as part of a combined code and unit test phase of the
software lifecycle, although it is not uncommon for coding and unit testing to be conducted as
two distinct phases.
Test strategy and approach
Field testing will be performed manually and functional tests will be written in detail.
Test objectives
 All field entries must work properly.
 Pages must be activated from the identified link.
 The entry screen, messages and responses must not be delayed.
Features to be tested
 Verify that the entries are of the correct format
 No duplicate entries should be allowed
 All links should take the user to the correct page.
6.2 Integration Testing

Software integration testing is the incremental integration testing of two or more
integrated software components on a single platform to produce failures caused by interface
defects.
The task of the integration test is to check that components or software applications, e.g.
components in a software system or – one step up – software applications at the company level –
interact without error.
Test Results: All the test cases mentioned above passed successfully. No defects encountered.
6.3 Acceptance Testing
User Acceptance Testing is a critical phase of any project and requires significant
participation by the end user. It also ensures that the system meets the functional requirements.
Test Results: All the test cases mentioned above passed successfully. No defects encountered.
Sample Code:
Admin Login:
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
public partial class Adminlogin : System.Web.UI.Page

{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Butlogin_Click1(object sender, EventArgs e)
{
if (Txt_Username.Text == "admin" && Txt_Password.Text == "admin123")
{
Response.Redirect("Adminpostimage.aspx");
}
else
{
ClientScript.RegisterStartupScript(typeof(Page), "alert", "<script
language=JavaScript>alert('username password incorrect'); </script>");
}
}
}
Admin Post Image:
using System;
using System.Data;
using System.Linq;
using System.Web;
using System.IO;
using System.Data.SqlClient;
public partial class Adminpostimage : System.Web.UI.Page

{
SqlConnection con = new SqlConnection("Data Source=SHAMEER\\SQLEXPRESS;Initial
Catalog=Online_password;Integrated Security=True");
//public static byte[] FileBytes, FileBytes2, FileBytes3, FileBytes4, FileBytes5,
FileBytes6, FileBytes7, FileBytes8, FileBytes9;
public static byte[] FileBytes, FileBytes2, FileBytes3, FileBytes4, FileBytes5,
//public static Byte[] imgByte1;

{
protected void But_view_Click(object sender, EventArgs e)

{
//FileBytes = null;
//FileUpload img1 = (FileUpload)FileUpload1;

// //Byte[] imgByte1 = null;
// if (img1.HasFile && img1.PostedFile != null)
// {
// HttpPostedFile File = FileUpload1.PostedFile;
// imgByte1 = new Byte[File.ContentLength];
// File.InputStream.Read(imgByte1, 0, File.ContentLength);
// }
if (FileUpload1.HasFile)
{
Stream fs = default(Stream);
fs = FileUpload1.PostedFile.InputStream;
BinaryReader br = new BinaryReader(fs);
FileBytes = br.ReadBytes(FileUpload1.PostedFile.ContentLength);
fs.Close();
fs.Dispose();
br.Close();
Session["dt"] = FileBytes;
ImageButton1.ImageUrl = "Upload1.aspx";
}
//FileBytes2 = null;
{
Stream fs1 = default(Stream);
fs1 = FileUpload2.PostedFile.InputStream;
BinaryReader br1 = new BinaryReader(fs1);
FileBytes2 = br1.ReadBytes(FileUpload2.PostedFile.ContentLength);
fs1.Close();
fs1.Dispose();
br1.Close();
Session["dtt"] = FileBytes2;
}
{
fs3.Close();
fs3.Dispose();
br3.Close();
Session["dt3"] = FileBytes3;
}
{
Stream fs4= default(Stream);
fs4.Close();
fs4.Dispose();
br4.Close();
}
{
fs5.Close();
fs5.Dispose();
br5.Close();
}
{
fs6.Close();
fs6.Dispose();
br6.Close();
}
{
fs7.Close();
fs7.Dispose();
br7.Close();
}
{
fs8.Close();
fs8.Dispose();
br8.Close();
}
{
fs9.Close();
fs9.Dispose();
br9.Close();
}
}
protected void But_save_Click(object sender, EventArgs e)
{
try
{
if (FileBytes == null || FileBytes2 == null || FileBytes3 == null ||
FileBytes4 == null || FileBytes5 == null || FileBytes6 == null || FileBytes7 == null ||
FileBytes8 == null || FileBytes9 == null)
{
language=JavaScript>alert('Empty value, select images'); </script>");
}
if (con.State == ConnectionState.Closed)
con.Open();
string sql = "insert into
Upload_images(Img_Type,FileBytes1,FileBytes2,FileBytes3,FileBytes4,FileBytes5,FileBytes6,
FileBytes7,FileBytes8,FileBytes9)values(@type,@FileBytes,@FileBytes2,@FileBytes3,@FileByt
es4,@FileBytes5,@FileBytes6,@FileBytes7,@FileBytes8,@FileBytes9)";
SqlCommand cmd = new SqlCommand(sql,con);
cmd.Parameters.AddWithValue("@type",DropDownList1.Text);
cmd.Parameters.AddWithValue("@FileBytes", FileBytes);
cmd.Parameters.AddWithValue("@FileBytes2", FileBytes2);
cmd.ExecuteNonQuery();

language=JavaScript>alert('Submitted Successfully'); </script>");
FileBytes = null; FileBytes2 = null; FileBytes3 = null; FileBytes4 = null;
FileBytes5 = null; FileBytes6 = null; FileBytes7 = null; FileBytes8 = null; FileBytes9 =
null;
if (con.State == ConnectionState.Open)
con.Close();
}
catch (Exception ex)
{
Label5.Text = ex.Message.ToString();
}
}
protected void LinkButton1_Click(object sender, EventArgs e)
{
Response.Redirect("HomePage.aspx");
}
}
New Register:
using System;
using System.Data;
using System.Linq;
using System.Web;
using System.IO;
public partial class Newregister : System.Web.UI.Page

{

{
protected void But_next_Click(object sender, EventArgs e)

{
if (Txt_Username.Text == "" || Txt_Password.Text == "")

{
language=JavaScript>alert('Enter username and password'); </script>");
}
else
{
Session["Username"] = Txt_Username.Text;
Session["type"] = DropDownList1.Text;
con.Open();
int bal = 0;
SqlCommand cmd_User = new SqlCommand("insert into
Register(Username,Passsword,bank_name,ac_no,Img_Type,amount)values('" + Txt_Username.Text
+ "','" + Txt_Password.Text + "','"+Name_of_bank_tb.Text+"','"+Ac_no_tb.Text+"','" +
DropDownList1.Text + "','"+bal+"')", con);
cmd_User.ExecuteNonQuery();
language=JavaScript>alert('Saved Successfully select another password '); </script>");
Response.Redirect("Register_view_images.aspx");
con.Close();
}
}
}
New Image Set Password:
using System;
using System.Data;
using System.Linq;
using System.Web;
using System.IO;
public partial class New_image_password_set_page : System.Web.UI.Page

{
public static string image, Username;
public static byte[] image_value;
public static int Value = 0;

{
image_value = ((byte[])Session["image_value"]);
image = Session["Selectimage"].ToString();
Username = Session["Username"].ToString();
photo.ImageUrl = image;
}
protected void Save_Click(object sender, EventArgs e)
{
Value = Value + 1;
if (Value ==1 || Value ==2)

{
con.Open();
SqlCommand cmd = new SqlCommand("insert into

Regiser_image(username,imgx,imgwidth,imghight,image_value)values('" + Username + "','" +
x1.Text + "','" + w.Text + "','" + h.Text + "',@imagevalue)", con);
cmd.Parameters.AddWithValue("@imagevalue", image_value);
if (Value==1)
{
Label1.Text = "save success next drog and drop set password";
}
else
{
Label1.Text = "drag and drop password select success ";
Response.Write("<script language='javascript'>window.alert('Login
Success');</script>");
Value = 0;
con.Close();
}
con.Close();
}
else
{
Value = 0;
Server.Transfer("Home.aspx");
}
}
{
Value = 0;
}
}
User Login page Image Set password:
using System;
using System.Data;
using System.Linq;
using System.Web;
using System.IO;
public partial class User_imagepassword_loginpage : System.Web.UI.Page

{
public static string image,Username;
//public static byte[] FileBytes, FileBytes2, FileBytes3, FileBytes4, FileBytes5,
public string imgx1, imgwidth1, imghight1, imgx2, imgwidth2, imghight2;
public static int value = 0;
public static byte[] image_value;
{
Username = Session["LoginUsername"].ToString();
if (!IsPostBack)
{
value = 0;
}
con.Open();
SqlCommand cmd_select = new SqlCommand("select imgx,imgwidth,imghight,image_value
from Regiser_image where username='" + Username + "'", con);
SqlDataAdapter da = new SqlDataAdapter(cmd_select);
DataTable dt = new DataTable();
da.Fill(dt);
foreach (DataRow dr in dt.Rows)
{
imgx1 = dt.Rows[0]["imgx"].ToString();
imgwidth1 = dt.Rows[0]["imgwidth"].ToString();
imghight1 = dt.Rows[0]["imghight"].ToString();
image_value = (byte[])dr["image_value"];
imgx2 = dt.Rows[1]["imgx"].ToString();
imgwidth2 = dt.Rows[1]["imgwidth"].ToString();
imghight2 = dt.Rows[1]["imghight"].ToString();
}
con.Close();
Session["dt"] = image_value;
photo.ImageUrl = "Upload1.aspx";
}
protected void But_Login_Click(object sender, EventArgs e)
{
value = value + 1;
if (value == 1)
{
if (imgx1 + imgwidth1 + imghight1 == x1.Text + w.Text + h.Text)
{
Label1.Text = "Password selected correctly Drag another Password";

value = value + 1;
}
else
{
Label1.Text = "select correct password";
value = 0;
}
}
if (value == 3)
{
if (imgx2 + imgwidth2 + imghight2 == x1.Text + w.Text + h.Text)
{
Label1.Text = "login sucess";
Response.Redirect("Online_Transaction.aspx");
}
else
{
Label1.Text = "Please drag ur correct password";
value = 2;
}
}
}
protected void Homepage_Click(object sender, EventArgs e)
{
}
}
Online Transaction:
using System;
using System.Data;
using System.Linq;
using System.Web;
public partial class WelcomePage : System.Web.UI.Page

{
{
name_tb.Text = Session["LoginUsername"].ToString();
con.Close();
con.Open();
SqlCommand cmd = new SqlCommand("select * from Register where Username='" +
Session["LoginUsername"] + "'", con);
SqlDataReader dr2;
dr2 = cmd.ExecuteReader();
if (dr2.Read())
{
bankname_tb.Text = dr2["bank_name"].ToString();
ac_no_tb.Text = dr2["ac_no"].ToString();
}
con.Close();
}
protected void Logout_Click(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
//to Update the Transfer Fund & Updated in Register Database

con.Open();
int add;
string val = "0";
SqlDataReader dr;
string qry = "select amount from Register where Username='"
+partner_username_tb.Text+ "'";
SqlCommand cmd1 = new SqlCommand(qry, con);
dr = cmd1.ExecuteReader();
if (dr.Read())
{
val = dr["amount"].ToString();
}
con.Close();
con.Open();
add = int.Parse(val) + int.Parse(transfer_tb.Text);
SqlCommand cmd2 = new SqlCommand("update Register set amount='" + add + "' where
Username='" + partner_username_tb.Text + "'", con);
cmd2.ExecuteNonQuery();
con.Close();
//To Update the Current User Details

int sub;
string val1 = "0";
SqlDataReader dr1;
con.Open();
string qry1 = "select amount from Register where Username='" +
Session["LoginUsername"] + "'";
SqlCommand cmd3 = new SqlCommand(qry1, con);
dr1 = cmd3.ExecuteReader();
if (dr1.Read())
{
val1 = dr1["amount"].ToString();
}
con.Close();
con.Open();
sub = (int.Parse(val1)-int.Parse(transfer_tb.Text) ) ;
SqlCommand cmd4 = new SqlCommand("update Register set amount='" + sub + "' where
Username='" + Session["LoginUsername"] + "'", con);
con.Close();
//To Insert the Transaction Details in Transac Database

con.Open();
SqlCommand cmd = new SqlCommand("insert into Transac values ('" + name_tb.Text +
"','" + bankname_tb.Text + "','" + ac_no_tb.Text + "','" + atm_tb.Text + "','" +
partner_username_tb.Text + "','" + partnerac_no_tb.Text + "','" + transfer_tb.Text +
"')", con);
con.Close();
Response.Write("<script language='javascript'>window.alert('Successfully
Transfered');</script>");
}
protected void act_details_linkbtn_Click(object sender, EventArgs e)
{
Response.Redirect("Account_details.aspx");
}
protected void deposit_linkbtn_Click(object sender, EventArgs e)
{
Response.Redirect("Deposit.aspx");
}
}
Deposit:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
public partial class Deposit : System.Web.UI.Page

{
{
username_tb.Text = Session["LoginUsername"].ToString();
}
protected void Button1_Click(object sender, EventArgs e)
{
//To Insert the Deposited Details in Deposit Database
con.Open();
SqlCommand cmd = new SqlCommand("insert into
Deposit(name,ac_no,pin,deposit_amt)values('" + username_tb.Text + "','" + acno_tb.Text +
"','" + pin_tb.Text + "','" + deposit_amt_tb.Text + "')", con);
con.Close();
Response.Write("<script language='javascript'>window.alert('Amount
Deposited');</script>");
//To Update the Deposited Amount to Register Database

con.Open();
int add;
string val="0";
SqlDataReader dr;
string qry = "select amount from Register where Username='" +
Session["LoginUsername"] + "'";
SqlCommand cmd1 = new SqlCommand(qry, con);
dr = cmd1.ExecuteReader();
if (dr.Read())
{
val = dr["amount"].ToString();
}
con.Close();
con.Open();
add = int.Parse(val) + int.Parse(deposit_amt_tb.Text);
SqlCommand cmd2 = new SqlCommand("update Register set amount='" + add + "' where
Username='" + Session["LoginUsername"] + "'", con);
con.Close();
}
{
Server.Transfer("Online_Transaction.aspx");
}
}
Account Details:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Data;
public partial class Account_details : System.Web.UI.Page

{
{
}
{
con.Open();
SqlCommand cmd = new SqlCommand("select
name,bank_name,partner_name,partner_acno,transfer_fund from Transac where name='" +
Session["LoginUsername"] + "' ", con);
SqlDataAdapter dap = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
dap.Fill(ds);
GridView1.DataSource = ds.Tables[0];
GridView1.DataBind();
con.Close();
}
{
con.Open();
SqlCommand cmd1 = new SqlCommand("select Username,bank_name,ac_no,amount from
Register where Username='" + Session["LoginUsername"] + "' ", con);
SqlDataAdapter dap1 = new SqlDataAdapter(cmd1);
DataSet ds1 = new DataSet();
dap1.Fill(ds1);
GridView2.DataSource = ds1.Tables[0];
con.Close();
}
{
Server.Transfer("Online_Transaction.aspx");
}
{
con.Open();
SqlCommand cmd2 = new SqlCommand("select name,ac_no,deposit_amt from Deposit
where name='" + Session["LoginUsername"] + "' ", con);
SqlDataAdapter dap2 = new SqlDataAdapter(cmd2);
DataSet ds2 = new DataSet();
dap2.Fill(ds2);
GridView3.DataSource = ds2.Tables[0];
con.Close();
}
}
SCREEN SHOTS:
LOGIN PAGE:
About Page:
ADMIN LOGIN:
Admin Uploading File:

Selecting Type of the Image:
Uploaded Images:
New Registration:
Selecting Image as Password:

Selected Image will get displayed:
Crop one Portion of Image:

Next Drag & Drop another Portion:
Login Page:
Crop the Registered Portion:
Drag & Drop another Cropped Portion:

Online Transaction:
Account Details:
Cash Deposit:
Account Details after Depositing:

Transaction Processing:
After Transaction Account Details:
8. CONCLUSION
In our paper frequently used patterns can be identified and misused to generate pattern-
based password dictionaries. These common patterns can be afterward exploited to crack more
password hashes compared with traditional dictionary attacks. In order to identify common
password patterns, we performed both manual and automated analysis on a large set of leaked
real-life passwords of rockyou.com gaming portal. After identifying the patterns, we developed a
software tool, namely the pbp-generator, which creates many pattern-based passwords from a
given traditional dictionary. We utilized the generated pattern-based dictionary to perform
cracking tests against real-life leaked password hashes from 15 different datasets. According to
the test results, we could crack with pattern-dictionaries many more password hashes, which
cannot be cracked by using the rock you password list.
9.REFERENCES
[1] L. O’Gorman, “Comparing passwords, tokens, and biometrics for user authentication,” Proc.
IEEE, vol. 91, no. 12, pp. 2021–2040, Dec. 2003.
[2] (2011). PlayStation Network Hack: Why it Took Sony Seven Days to Tell the World. [Online].
Available: http://www.theguardian.com/technology/gamesblog/2011/apr/27/playstationnetwork-
hack-sony
[3] (2009). RockYou Hack Compromises 32 Million Passwords. [Online]. Available:
http://www.scmagazine.com/rockyou-hack-compromises-32-million-passwords/article/159676/
[4] (2013). Software Company Tom Sawyer Hacked, 61,000 Vendors Accounts Leaked. [Online].
Available: http://www.databreaches.net/
software-company-tom-sawyer-hacked-61000-vendors-accounts-leaked/
[5] (2013). Hackers Leak Data Allegedly Stolen from Chinese Chamber of Commerce Website.
[Online]. Available: http://news.softpedia.com/
news/Hackers-Leak-Data-Allegedly-Stolen-from-Chinese-Chamber-of-Commerce-Website-
396936.shtml
[6] LinkedIn Hack. [Online]. Available: http://en.wikipedia.org/wiki/2012_LinkedIn_hack,
accessed Apr. 22, 2015.
[7] SQL Injection. [Online]. Available: https://www.owasp.org/index.php/SQL_Injection,
[8] Password Storage Cheat Sheet. [Online].
Available:https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet,
[9] Brute-Force Attacks. [Online]. Available:
https://www.owasp.org/index.php/Brute_force_attack, accessed Apr. 22, 2015.
[10] V. Goyal, V. Kumar, M. Singh, A. Abraham, and S. Sanyal, “CompChall:Addressing
password guessing attacks,” in Proc. Int. Conf. Inf. Technol., Coding Comput. (ITCC), Apr.
2005, pp. 739–744.

Cracking More Password Hashes With Patterns

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cracking More Password Hashes With Patterns

Uploaded by

Copyright:

Available Formats

Cracking More Password Hashes with Patterns

 System : Pentium IV 2.4 GHz.

 Operating system : Windows 7 Ultimate.

What is .NET Built On?

To a developer, .NET means a great environment for creating robust distributed

To a CTO or CIO, .NET means happier developers using state-of-the-art development

II. The Common Language Runtime

 Identity information, such as the assembly’s name and version number

The Structure of a .NET Application

Compilation and Execution of a .NET Application

Table-.Representative .NET Namespaces

The namespace names are self-descriptive by design. Straightforward names make

Introduction to Object-Oriented Programming

Objects, Members, and Abstraction

An object is a programmatic construct that represents something. In the real world,

ADO.NET Data Architecture

The DataSet is a disconnected, in-memory representation of data. It can be thought of as

The DataSet contains a DataRelations collection. A DataRelation object allows you to

The Data Provider

 The Connection object provides the connection to the database.

Data access in ADO.NET is facilitated as follows: a Connection object establishes a

C# (pronounced C Sharp) is a multi-paradigm programming language that encompasses

C# is intended to be a simple, modern, general-purpose, object-oriented programming language.

Some notable C# distinguishing features are:

Common Type system (CTS)

IV. Categories of data types

CTS separate data types into two categories:

ActiveX is a specification develops by Microsoft that allows ordinary Windows programs

This can also be a disadvantage:

It isn’t as easy to program as scripting language or Java.

It works only in Microsoft Internet Explorer and only Windows platforms.

Leverage Current ADO Knowledge

Microsoft's design for ADO.NET addresses many of the requirements of today's

ADO.NET provides first-class support for the disconnected, n-tier programming

Upload Images Register Information

Drag and Drop Select Image Password

Use case Diagram:

Select Image Password

Drag and Drop

Login Select Image Password

Login Drag and Drop Select Image

Welcome SBI Bank

Register User Type

Drop Other Location

Select Image Password

SBI Home Page

User 3: Register User Type

Login Select Imag

Welcome Login Drag and Drop

Upload Images Login Drag and Drop Select Image Password

Welcome SBI Bank Register Information

Stop Select Image Password

Drag and Drop Select Image Password

Uploading Images by Admin:

Pass Points Module:

Cued Click Points Module:

Persuasive Cued Click- Points Module:

6.2 Integration Testing

public partial class Adminlogin : System.Web.UI.Page

Admin Post Image:

public partial class Adminpostimage : System.Web.UI.Page

protected void Page_Load(object sender, EventArgs e)

protected void But_view_Click(object sender, EventArgs e)