I really do agree with you but the thing is the data from the feeds that I am importing via SSIS is not clean data.Sometimes all I have is an email address. I would have to comprimise the quality of the users data in order to create a user. The original database would be funny if I was not dealing with it.No foreign keys and pipe delimited fields that are the one-to-many relationships.Unreal. [EMAIL PROTECTED]
> Date: Thu, 3 Jan 2008 11:16:14 -0500> From: [EMAIL PROTECTED]> Subject: Re: > [ADVANCED-DOTNET] non authenticated security> To: > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > I would suggest storing only a hash of > the PIN/password, but if you take> server compromise out of the picture it > doesn't make it any more secure.> > It's "secure" but it could be more > secure. Some things that would make it> more secure: mandate passwords of at > least 8 characters and include three> types of characters (like lower-case, > upper case, and punctuation), don't> accept passwords with real words in > them, mandate the password change> every x days, etc.> > I would certainly > suggest making them full-fledged users, with different> permissions.> > On > Thu, 3 Jan 2008 16:09:11 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote:> > >At > present, it is stored as plain text in the database.> >> >At the very least, > I should encrypt it I guess.> >> >I was thinking of creating the user when I > am importing the contacts via> an SSIS import and then getting the user to > change their password on first> login.> >> >But the records are not in great > shape.> >> >[EMAIL PROTECTED]> >> >> >> >> Date: Thu, 3 Jan 2008 10:52:54 > -0500> From:> [EMAIL PROTECTED]> Subject: Re:> [ADVANCED-DOTNET] non > authenticated security> To: ADVANCED-> [EMAIL PROTECTED]> > Is this PIN > stored in a database somewhere,> or do they have to re-enter it> after it > "expires"?> > On Thu, 3 Jan 2008> 15:54:03 +0000, Paul Cowan <[EMAIL > PROTECTED]> wrote:> > >Hi all,I am> migrating an ASP app. to an ASP.NET and > have spotted a> potential security> hole.> >Most of the app. I am securing > with Forms authentication but as> stands> they have another requirement where > by users who are just contacts> who> exist in the system without a username > or password can access> certain> parts of the site which are sensitive. They > have been entered in> the> system by importing an excel or SAP feed. They > have not been created> via> the system and as such do not have usernames or > passwords.> >The way> things stand at the minute, the user gets redirected to > a page> where they> create a 4 digit pin number which allows them to access > the> system via> another page.> >This seems terrible to me.> >Can anyone > think of a better> way of handling this situation?> >Cheers> >[EMAIL > PROTECTED]>> > >_________________________________________________________________> >Telly> > addicts unite!> >http://www.searchgamesbox.com/tvtown.shtml>> > >===================================> >This list is hosted by> DevelopMentor® > http://www.develop.com> >> >View archives and manage your> subscription(s) > at> http://discuss.develop.com> >> ===================================> This > list is hosted by DevelopMentor®> http://www.develop.com> > View archives and > manage your subscription(s) at> http://discuss.develop.com> > >_________________________________________________________________> >Fancy > some celeb spotting?> >https://www.celebmashup.com> > >===================================> >This list is hosted by DevelopMentor® > http://www.develop.com> >> >View archives and manage your subscription(s) at> > http://discuss.develop.com> > ===================================> This list > is hosted by DevelopMentor® http://www.develop.com> > View archives and > manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ Fancy some celeb spotting? https://www.celebmashup.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
