I would suggest storing only a hash of the PIN/password, but if you take server compromise out of the picture it doesn't make it any more secure.
It's "secure" but it could be more secure. Some things that would make it more secure: mandate passwords of at least 8 characters and include three types of characters (like lower-case, upper case, and punctuation), don't accept passwords with real words in them, mandate the password change every x days, etc. I would certainly suggest making them full-fledged users, with different permissions. On Thu, 3 Jan 2008 16:09:11 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote: >At present, it is stored as plain text in the database. > >At the very least, I should encrypt it I guess. > >I was thinking of creating the user when I am importing the contacts via an SSIS import and then getting the user to change their password on first login. > >But the records are not in great shape. > >[EMAIL PROTECTED] > > > >> Date: Thu, 3 Jan 2008 10:52:54 -0500> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] non authenticated security> To: ADVANCED- [EMAIL PROTECTED]> > Is this PIN stored in a database somewhere, or do they have to re-enter it> after it "expires"?> > On Thu, 3 Jan 2008 15:54:03 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote:> > >Hi all,I am migrating an ASP app. to an ASP.NET and have spotted a> potential security hole.> >Most of the app. I am securing with Forms authentication but as stands> they have another requirement where by users who are just contacts who> exist in the system without a username or password can access certain> parts of the site which are sensitive. They have been entered in the> system by importing an excel or SAP feed. They have not been created via> the system and as such do not have usernames or passwords.> >The way things stand at the minute, the user gets redirected to a page> where they create a 4 digit pin number which allows them to access the> system via another page.> >This seems terrible to me.> >Can anyone think of a better way of handling this situation?> >Cheers> >[EMAIL PROTECTED]> >_________________________________________________________________> >Telly addicts unite!> >http://www.searchgamesbox.com/tvtown.shtml> >===================================> >This list is hosted by DevelopMentor® http://www.develop.com> >> >View archives and manage your subscription(s) at> http://discuss.develop.com> > ===================================> This list is hosted by DevelopMentor® http://www.develop.com> > View archives and manage your subscription(s) at http://discuss.develop.com >_________________________________________________________________ >Fancy some celeb spotting? >https://www.celebmashup.com >=================================== >This list is hosted by DevelopMentor® http://www.develop.com > >View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
