Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Search | Today's Posts | Mark Forums Read
Classic ASP Professional For advanced coder questions in ASP 3. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old November 29th, 2009, 10:50 AM
Authorized User
 
Join Date: Jan 2005
Location: , , .
Posts: 46
Thanks: 0
Thanked 0 Times in 0 Posts
Default Hacker-proof log in

Hi,

I have written an online application (ASP) that requires a password to be entered (on the login page) in order to access it.

Is this open to attack by hackers (e.g. with software that repeatedly tries random passwords until the correct one is found)? If so, how can I safeguard against such attacks?

One option may be one of those images that shows a random sequence of letters to be entered, or perhaps a limit on the number of login attempts within a set time. However, I don't know if these are the standard ways of approaching this issue.

Please can you tell me what the recommended approach is to this?

Thanks.
Reply With Quote
  #2 (permalink)  
Old June 29th, 2010, 09:09 AM
Friend of Wrox
Points: 489, Level: 7
Points: 489, Level: 7 Points: 489, Level: 7 Points: 489, Level: 7
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2006
Location: Berkshire, United Kingdom.
Posts: 104
Thanks: 9
Thanked 1 Time in 1 Post
Default

Steve,

There are quite a few ways you can improve the security of your log in process but one of the first important ones is control over passwords.

If you are not already using a form of encryption with your password then the answer would be you should..

If this is the case do a search for ASP MD5 encryption which should provide you with a starting process for encrypting and comparing entered passwords. MD5 encryption by it's self is still hackable due to lists available with passwords and the associated encrypted string so you need to add what is known as a salt process.

This adds an additional layer of security as it will change the encypted string dependant on what solution you use.

Regarding the login process i have seen delays in providing the login page per attempt working quite well.. eg 1 scond delay for first attempt, 2 seconds for second ect .. this quite quickly slows a login force..

Hope this helped..

Cheers

Aspless
Reply With Quote
  #3 (permalink)  
Old June 29th, 2010, 06:48 PM
Friend of Wrox
Points: 6,664, Level: 34
Points: 6,664, Level: 34 Points: 6,664, Level: 34 Points: 6,664, Level: 34
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2004
Location: Sydney, NSW, Australia.
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default

;;;One option may be one of those images that shows a random sequence of letters to be entered

Its called a CAPTCHA image test. Yes a very good idea to stop any web form you have being hijacked by an automated process. A good Classic ASP one with complete code can be found at:

http://www.tipstricks.org/

As suggested above encryption is all very good but just as important is to enforce strong passwords. Its all very good and well posting and storing and encrypted password string but if the string is weak (a real word for example) its considerably more hackable than a alpha numeric string with a special character and maybe upper and lower case characters.

You also mention a limit to the attempts, also a good idea. This is a bit over the top however one cleint we have insists on:

min string character length
alpha numeric including upper and lowe case
three failed attampts will inactivate the account for the matched user name
change enforced every 90 days
may not use any of the previous 20 passwords

However you can do all that and still get hacked of course...
__________________
Wind is your friend
Matt
Reply With Quote
  #4 (permalink)  
Old June 29th, 2010, 07:29 PM
Friend of Wrox
 
Join Date: Jun 2008
Location: Snohomish, WA, USA
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default

Not to ask a silly question, but...

Why are you guys replying to a question from 8 months ago??
Reply With Quote
  #5 (permalink)  
Old June 29th, 2010, 08:45 PM
Friend of Wrox
Points: 6,664, Level: 34
Points: 6,664, Level: 34 Points: 6,664, Level: 34 Points: 6,664, Level: 34
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2004
Location: Sydney, NSW, Australia.
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default

Afternoon Old Pendant - I didnt think was such a thing as a silly question....lol

Well I did feel a bit silly when I saw your post. After closer inspection I assume you are talking to aspless since he reserected this old post yesterday...
__________________
Wind is your friend
Matt
Reply With Quote
  #6 (permalink)  
Old June 30th, 2010, 04:22 AM
Friend of Wrox
Points: 489, Level: 7
Points: 489, Level: 7 Points: 489, Level: 7 Points: 489, Level: 7
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2006
Location: Berkshire, United Kingdom.
Posts: 104
Thanks: 9
Thanked 1 Time in 1 Post
Default

Old Pedant, mat41

Hope you are both well..

Very good question ... Next time maybe i'll look at the posted date first... doh!

Cheers
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to log to server's event log LenexaKS Access VBA 4 March 11th, 2008 12:49 PM
Can't get Log to write the Log.txt file jnbutler BOOK: Professional XNA Game Programming: For Xbox 360 and Windows ISBN: 978-0-470-12677-6 3 July 31st, 2007 04:04 AM
Hacker Attack ackees HTML Code Clinic 7 July 12th, 2006 06:04 AM
AppException Class -Log Error to Event Log bekim BOOK: ASP.NET Website Programming Problem-Design-Solution 7 December 7th, 2004 01:01 PM



All times are GMT -4. The time now is 02:40 PM.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.