Wrox Programmer Forums
|
Classic ASP Professional For advanced coder questions in ASP 3. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Professional section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old November 29th, 2009, 10:50 AM
Authorized User
  
Join Date: Jan 2005
Posts: 46
Thanks: 0
Thanked 0 Times in 0 Posts
Default Hacker-proof log in
Hi,

I have written an online application (ASP) that requires a password to be entered (on the login page) in order to access it.

Is this open to attack by hackers (e.g. with software that repeatedly tries random passwords until the correct one is found)? If so, how can I safeguard against such attacks?

One option may be one of those images that shows a random sequence of letters to be entered, or perhaps a limit on the number of login attempts within a set time. However, I don't know if these are the standard ways of approaching this issue.

Please can you tell me what the recommended approach is to this?

Thanks.
 
Old June 29th, 2010, 09:09 AM
Friend of Wrox
  
Join Date: Dec 2006
Posts: 104
Thanks: 9
Thanked 1 Time in 1 Post
Default
Steve,

There are quite a few ways you can improve the security of your log in process but one of the first important ones is control over passwords.

If you are not already using a form of encryption with your password then the answer would be you should..

If this is the case do a search for ASP MD5 encryption which should provide you with a starting process for encrypting and comparing entered passwords. MD5 encryption by it's self is still hackable due to lists available with passwords and the associated encrypted string so you need to add what is known as a salt process.

This adds an additional layer of security as it will change the encypted string dependant on what solution you use.

Regarding the login process i have seen delays in providing the login page per attempt working quite well.. eg 1 scond delay for first attempt, 2 seconds for second ect .. this quite quickly slows a login force..

Hope this helped..

Cheers

Aspless
 
Old June 29th, 2010, 06:48 PM
Friend of Wrox
  
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default
;;;One option may be one of those images that shows a random sequence of letters to be entered

Its called a CAPTCHA image test. Yes a very good idea to stop any web form you have being hijacked by an automated process. A good Classic ASP one with complete code can be found at:

http://www.tipstricks.org/

As suggested above encryption is all very good but just as important is to enforce strong passwords. Its all very good and well posting and storing and encrypted password string but if the string is weak (a real word for example) its considerably more hackable than a alpha numeric string with a special character and maybe upper and lower case characters.

You also mention a limit to the attempts, also a good idea. This is a bit over the top however one cleint we have insists on:

min string character length
alpha numeric including upper and lowe case
three failed attampts will inactivate the account for the matched user name
change enforced every 90 days
may not use any of the previous 20 passwords

However you can do all that and still get hacked of course...
__________________
Wind is your friend
Matt
 
Old June 29th, 2010, 07:29 PM
Friend of Wrox
  
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default
Not to ask a silly question, but...

Why are you guys replying to a question from 8 months ago??
 
Old June 29th, 2010, 08:45 PM
Friend of Wrox
  
Join Date: Jan 2004
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default
Afternoon Old Pendant - I didnt think was such a thing as a silly question....lol

Well I did feel a bit silly when I saw your post. After closer inspection I assume you are talking to aspless since he reserected this old post yesterday...
__________________
Wind is your friend
Matt
 
Old June 30th, 2010, 04:22 AM
Friend of Wrox
  
Join Date: Dec 2006
Posts: 104
Thanks: 9
Thanked 1 Time in 1 Post
Default
Old Pedant, mat41

Hope you are both well..

Very good question ... Next time maybe i'll look at the posted date first... doh!

Cheers





Similar Threads
Thread Thread Starter Forum Replies Last Post
How to log to server's event log LenexaKS Access VBA 4 March 11th, 2008 12:49 PM
Can't get Log to write the Log.txt file jnbutler BOOK: Professional XNA Game Programming: For Xbox 360 and Windows ISBN: 978-0-470-12677-6 3 July 31st, 2007 04:04 AM
Hacker Attack ackees HTML Code Clinic 7 July 12th, 2006 06:04 AM
AppException Class -Log Error to Event Log bekim BOOK: ASP.NET Website Programming Problem-Design-Solution 7 December 7th, 2004 01:01 PM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.