asp.net - Login Page security? -

-

i have designed login page 1 of our website have used following resources

  1. login name , passowrd lable , textboxes
  2. combo box multilingual support
  3. submit button.

now make page more secure planning use following points.

  1. captcha/ re-captcha
  2. number of retry: block after 3 unsuccessfull login attempt.

i have seen these things visiting other sites. know

  1. whether these extar point makes somediffrence security?
  2. how should implement number of retry? when should again unblock user account.

what right approach?

  1. general - require strong password , limit login tries/user (not ip/cookie). if add 5 minute lock-down user name after 3 fails bruit force attack take more years site live (dictionary attacks not possible since require strong passwords)*.

  2. protect users - in form, don't post password in clear text, post hashed version eg. md5([your domain] + [password]) reason add domain protect hash of password server owner (you), if user db hacked hashed passwords stored useless if users use same password on multiple sites. if stronger hash sha version. make js script replaces password hashed 1 before sending. remember have hash calculated on registration page, never let password sent browser in clear text. don't want know it!

  3. http://en.wikipedia.org/wiki/cross-site_request_forgery, have server sign cookie values make cookie forgery harder.

  4. encryption - either use tsl/ssl or rsa script , encrypt form data severs public_key.

  5. man-in-the-middle - hardest threat guard against, guess https easiest way trusted certificate costs money. if self sign users today don't bather if it's right cert or not, requires form users. buy cert or hope don't have man-in-the-middle.

i never use re-captcha login since lock-down of user name more effective , less disturbing user. though re-captcha account registration don't end having lot of scripted accounts.

  • limiting login tries/username used block user log in. bruit force attacks still available since can attack lot of usernames , not one, keeping attack under limit/username block. site few (less 10.000?) user accounts should quite safe.

Comments

Post a Comment

Popular posts from this blog

c++ - Convert big endian to little endian when reading from a binary file -

-
this question has answer here: how convert between big-endian , little-endian values in c++? 28 answers i've been looking around how convert big-endian little-endians. didn't find solve problem. seem there's many way can conversion. anyway following code works ok in big-endian system. how should write conversion function work on little-endian system well? this homework, since systems @ school running big-endian system. it's got curious , wanted make work on home computer also #include <iostream> #include <fstream> using namespace std; int main() { ifstream file; file.open("file.bin", ios::in | ios::binary); if(!file) cerr << "not able read" << endl; else { cout << "opened" << endl; int i_var; double d_var; while(!file.eof()) {...
Read more

C#: Application without a window or taskbar item (background app) that can still use Console.WriteLine() -

-
i'm trying create application adheres following: no taskbar no console or form window can utilize console.writeline() . (i.e. if executes app command prompt write console.) the problem if create windows form (or wpf) application can have there no taskbar, console or window show up, console.writeline() nothing. if create console app, writes console, can't figure out how hide (and if did hide it, write command prompt window?)... how do this? just create standard console application. callers responsibility hide window caused program (from how run c# console application console hidden ): system.diagnostics.processstartinfo start = new system.diagnostics.processstartinfo(); start.filename = dir + @"\myprocesstostart.exe"; start.windowstyle = system.diagnostics.processwindowstyle.hidden;
Read more

unicode - Are email addresses allowed to contain non-alphanumeric characters? -

-
i'm building website using `django. website have significant users non-english speaking countries. i want know if there technical restrictions on types of characters email address contain. are email addresses allowed contain english alphabets, numbers, "_", "@" , "."? are allowed contain non-english alphabets "é" or "ü"? are allowed contain chinese or japanese or other unicode characters? email address consists of 2 parts local before @ , domain goes after. rules these parts different: for local part can use ascii: latin letters - z - z digits 0 - 9 special characters !#$%&'*+-/=?^_`{|}~ dot ., not first or last, , not in sequence space , "(),:;<>@[] characters allowed restrictions (they allowed inside quoted string, backslash or double-quote must preceded backslash) plus since 2012 can use international characters above u+007f , encoded as utf-8 . domain part more res...
Read more