Re: Secure login system
On Tuesday 05 Feb 2008, Peterson, Chris wrote: add a captcha to the login screen ... would stop any mass-login attempt A lot of CAPTCHA can be defeated by OCR, even complicated ones can be broken (say) 30% of the time, if the protected service is worth that (like, say, Yahoo) people will do it. And you can break 100% of CAPTCHA if you perform a sort of man-in-the-middle attack and offer free porn for a person solving it. -- Tom Chiverton Helping to continuously develop fine-grained e-services on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298307 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Secure login system
the only other thing I would add is a counter of bad log in attempts. if 5 attempts failed, I would lock out the account for a minute. If more than 20 attempts, I lock it out until I reset it. I have one very important page set up so that the user has to log in with the same set of credentials twice. the first time it appears that it didn't work. I tell the users (only a handful of people) they have to do it twice. I figure anyone hacking in will never try the same set teice. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298252 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Secure login system
That's pretty smart. -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 3:35 PM To: CF-Talk Subject: Re: Secure login system the only other thing I would add is a counter of bad log in attempts. if 5 attempts failed, I would lock out the account for a minute. If more than 20 attempts, I lock it out until I reset it. I have one very important page set up so that the user has to log in with the same set of credentials twice. the first time it appears that it didn't work. I tell the users (only a handful of people) they have to do it twice. I figure anyone hacking in will never try the same set teice. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298253 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Secure login system
Ya know, you could always add a captcha to the login screen as well as the username / password, would stop any mass-login attempt or brute force password crackers. Chris -Original Message- From: Mark Fuqua [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 3:38 PM To: CF-Talk Subject: RE: Secure login system That's pretty smart. -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 3:35 PM To: CF-Talk Subject: Re: Secure login system the only other thing I would add is a counter of bad log in attempts. if 5 attempts failed, I would lock out the account for a minute. If more than 20 attempts, I lock it out until I reset it. I have one very important page set up so that the user has to log in with the same set of credentials twice. the first time it appears that it didn't work. I tell the users (only a handful of people) they have to do it twice. I figure anyone hacking in will never try the same set teice. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298262 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Secure login system
I am building a secure login system and would like some opinions on what I have so far (please pick it apart): 1. Submitting login form over SSL, no brainer 2. Using cfqueryparam everywhere, another no brainer 3. Password field in the database is called something other than password, pw, etc 4. Password is one way encrypted using Hash(), encrypted version stored on db 5. In the ColdFusion code, the encrypted version of the pw is never selected from the db - I assume this is irrelevent, but better be on the safe side 6. Login form field names have session key appended to them to prevent the browser remembering login details for the user (no remember me tickbox) 7. Password can only be changed by the user entering current password and new password when logged in I think this is all sound so far but I am really unsure about the best way of resetting passwords when a user has forgotten their password. Currently, I have this: 1. User requests password change instructions to be sent to their registered email address by entering both their login name and email address: if the details match - the instructions are sent (if they don't remember those details they can ask the administrator, its a small office). 2. When the request is made, a 32 character 'temporaryLoginKey' is created and a hash of this is stored in the login table. The unhashed key is sent to the user's email as part of a web address (i.e. www.site.com/index.cfm?event=resetPasswordtempLoginKey=27JFl49580KFj45687KJGF459 ) 3. The user visits the url sent to them and is presented with a change password form in which they are required to enter their login name and new password 4. Once the user has changed their password, the tempKey is cleared and resulting calls to the temp address result in an access denied message or some such Am I missing anything obvious or is anything I am doing plain wrong? I do not need to build fort knox here, simply the most secure login possible on zero budget (it also has to be a minimal PITA for the users) Thanks in advance :) Dominic -- Blog it up: http://fusion.dominicwatson.co.uk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298005 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Secure login system
Only thing I didn't see was mention of a salt phrase included in the hash, but I doubt you really need to go to that extent. The rest looks fine to me personally. It's more than most apps do for password security. -- s. isaac dealey ^ new epoch isn't it time for a change? ph: 503.236.3691 http://onTap.riaforge.org/blog ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298006 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Secure login system
I am building a secure login system and would like some opinions on what I have so far (please pick it apart): Better than the one I just reviewed a few weeks back. I checked out an app that simply had the user/pass stored in a variable on a page. If the person entered the right user/pass they were relocated to the secure pages. And no, the secure pages were not restricted in any way themselves. You could visit them directly. Total CRUD and all. Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298007 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Secure login system
Better than the one I just reviewed a few weeks back. I checked out an app that simply had the user/pass stored in a variable on a page. If the person entered the right user/pass they were relocated to the secure pages. And no, the secure pages were not restricted in any way themselves. You could visit them directly. Total CRUD and all. Wowsers! I'll look up the salt phrase thing thank you s. Better to go slightly overboard ;) Glad to know I'm doing the right thing (by your eyes at least). I can sleep now. Dominic -- Blog it up: http://fusion.dominicwatson.co.uk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298010 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Secure login system
Blimey, looking up salting produced some very interesting stuff including this: http://www.rohitab.com/discuss/lofiversion/index.php/t16402.html Amazing how people talk about their criminal activity with such openness and politeness - emoticons all round! Thanks again, Dominic -- Blog it up: http://fusion.dominicwatson.co.uk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298012 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Secure login system
Blimey, looking up salting produced some very interesting stuff including this: http://www.rohitab.com/discuss/lofiversion/index.php/t16402.html That site should be turned over to the proper authorities. That's ridiculous. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298013 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Secure login system
That site should be turned over to the proper authorities. That's ridiculous. Does seem pretty ballzy of them to talk like that on a forum that's indexed by google. -- s. isaac dealey ^ new epoch isn't it time for a change? ph: 503.236.3691 http://onTap.riaforge.org/blog ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298014 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4