PDA

View Full Version : Server Side - ASP



DreamSync
14 Jul 2005, 11:12 PM
What are some of the main security concerns with asp username-password combinations. For example:

if username="user" and password="pass" then
run this code
else
write "wrong password"

I'm *not* planning to use this to protect sensitive data but I would like to know what are some of the flaws with this login method.

Rincewind
17 Jul 2005, 03:23 AM
There are basically 2 ways to crack a password.

- Intercept the pass when used.

- Work out or guess the password.

The interception can be foiled by using a SSL for the password page. You don't have to buy a verified SSL (unless you are using the password system for the public/commercial use). If you are just using it personally, then you can set up a self signed SSL certificate for yourself. This is just as secure as the commercial SSL Certs, however it doesn't have the trusted partner authentication of that security. But since it's you that is using it, and it you that is access it, then you can trust yourself (I assume you can trust yourself not to hack yourself?)

The second problem is also quite simple to solve. There are several ways people can work out passwords

- Keep guessing words till one works. A so called "Bruit Force Attack". They often use scripts with dictionaries in them to just try every single work in a few minutes.
- Trick you into telling them the password. Know as phishing. It's amazing how many people will tell you their passwrod if you phone them up, claim to be the sysem admin or tech support and ask them for their pass.

There are 3 main things you can do to protect yourself form these.

- Don't write you password down.

- Use different passwords for different things. You don't want someone to crack your site and then get access to your bank account!

- Don't use a password that is easy to guess or is a real word. Ideally, at least 8 character long and using a random mix of small and caps letters plus numbers and punctuation. E.g. D-r_Wr8+e is a secure complex pass. "fidorover" is not.

- Limit the number of times someone can guess wrong before your script locks them out completly.

- Don't actually store or transmit the actuall pass. Store the MD5sum hash of the pass word in your script or database. Then when you type it into the form, the script md5 hashes you submission and compair that to the stored vertion. So even if someone read your script they would not get your pass.

Finally, don't be lazy with your security. Just cuase the data here is not mega important is no excuse to be sloppy. Develope a good quallity security system and personal behaviour and then use it everwhere. Sometimes it may be an overkill, but hackers allways attack the easiest point. If you let them into one section easilly, then you may inadvertantly have given them enough info to get into the harder secured area. (e.g. if your passworld habbits are poor and you used the same pass on both the unimportant and important systems). If you are going to secure something, then you secure it properly.