protecting password

Re: protecting password

Anthony Jones wrote:[color=blue]
> Not to mention the extra load on your server. Therefore I don't
> really consider SSL a good solution for login bearing in mind a
> fairly strong challange/response login can be created without it.[/color]

You honestly think you can build a strong login without it? And without
taxing your server more than SSL does, at that? I am dying to hear more.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.

Re: protecting password


"Dave Anderson" <NYRUMTPELVWH@s pammotel.com> wrote in message
news:129fs493ok u9pa6@corp.supe rnews.com...[color=blue]
> Anthony Jones wrote:[color=green]
> > Not to mention the extra load on your server. Therefore I don't
> > really consider SSL a good solution for login bearing in mind a
> > fairly strong challange/response login can be created without it.[/color]
>
> You honestly think you can build a strong login without it?[/color]

If Challange/Response MD5 or SHA1 is not strong enough for you then no
otherwise yes. After all if you really need it be very strong it's likely
you'd want all the content protected by SSL.
[color=blue]
>And without taxing your server more than SSL does, at that?[/color]

My point was I've not at this time been able to create smooth transition for
the a SSL protected Logon page to general unprotected content. Hence either
I scare the user with nasty 'You might be posting data in a unsecure way'
sort of message or I run the whole site in SSL which would definitely demand
more of the server than is necessary.

However, I'd be interested in techniques that allowed SSL to be used for
login only but did not involved scary message being given to the user. Any
ideas?
[color=blue]
>I am dying to hear more.
>
>
>
> --
> Dave Anderson
>
> Unsolicited commercial email will be read at a cost of $500 per message.[/color]
Use[color=blue]
> of this email address implies consent to these terms.
>
>[/color]

Re: protecting password

On Mon, 19 Jun 2006 12:18:14 -0500, Anthony Jones <Ant@yadayadaya da.com>
wrote:[color=blue]
> SSL would seem to be a better way but then you need to get a trusted
> certificate (for which there may be a cost) and I've not found a way to
> seemlessly transition from https to a http.
>
> Without a trusted certificate the users are likely to get warnings that
> may
> put them off.
>
> A response.redire ct from https to http also typically puts up a worrying
> warning to the user. I've tried meta refresh but it will ignore the http
> URL in the content attribute.[/color]

What version of IE are you seeing this behavior in? I have 6.0.3790.1830
(W2k3 SP1), and it seems to handle meta refresh correctly. I've included
the script I used to test below. Change the ``Script`` constant to
something appropriate.

<% Option Explicit

Const Script = "localhost/login.asp"

Dim action, secure
action = Request.Form("a ction")
secure = Request.ServerV ariables("HTTPS ")
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Defaul t</title>
<% If action="login" Then %>
<meta http-equiv="refresh"
content="0;url= http://<%= Script %>">
<% End If %>
</head>
<body>
<div>Secure: <%= secure %></div>
<div>Action: <%= action %></div>
<form method="post" action="https://<%= Script %>">
<input type="submit" name="action" value="login">
</form>
</body>
</html>

--
Justin Piper
Bizco Technologies

Hi guys,

the scripts seems to be ok with me.. it needs a little tidy up.. i guess.. well.. my suggestions will be as below;

1.) protect the .mdb file with a password
2.) set the session.timeout value - incase of idle session
3.) encrypt user password


below is the my script.. check it out..
'//--- inc_connection ---
<%
DIM ObjCon
Set ObjCon = Server.CreateOb ject("ADODB.Con nection")
ObjCon.Open ("Provider=Micr osoft.Jet.OLEDB .4.0;Persist Security Info=False;Jet OLEDBatabase Password=xyz;Da ta Source=" & Server.MapPath( "../db/eduguide.mdb"))
%>

'//--- inc_authenticat e.asp ---
<%@ LANGUAGE="VBSCR IPT" %>
<!--#INCLUDE FILE="inc_conne ction.asp" -->
<!--#INCLUDE FILE="inc_encry ption.asp" -->
<%
Dim myAccountNo, Message, Action,ID,UID,P WD,ACL,EMAILID, nNewsID, nNewsSummary
myAccountNo = Session("myAcco untNo")
Message = Session("Messag e")
Session("Messag e") = ""
Action = Session("Action ")
ID = Session("ID")
UID = Session("UID")
PWD = Session("PWD")
ACL = Session("ACL")
EMAILID = Session("EMAILI D")
%>
<%
dim URL_Link
dim myname, mypassword
dim cnpath, sSQL, TMPSQL
dim objRS, objUpdateRec
myname=request. form("txtUserna me")
mypassword=requ est.form("txtPa ssword")
URL_Link = Request.ServerV ariables("HTTP_ REFERER")
if myname = "Username" or myname = "" then
Session("Messag e") = "Check username"
Response.Redire ct URL_Link
elseif mypassword = "Password" or mypassword= "" then
Session("Messag e") = "Check password"
Response.Redire ct URL_Link
end if
sSQL ="SELECT * FROM sSECURITYTBL WHERE USERNAME='"
sSQL = sSQL & myname & "'"
set objRS=objCon.ex ecute(sSQL)
If objRS.EOF then
objRS.close
objCon.close
set objRS=nothing
set objCon=nothing
Session("Messag e") = "Invalid username"
'Response.Redir ect URL_Link"?error =" & Server.URLEncod e(Message)
Response.Redire ct URL_Link
end if
If objRS("password ")= pEncrypt(mypass word) then
'The default value is 10 minutes
Session.Timeout = 10
If Request.Form("c hkRememberMe") = "True" Then
Response.Cookie s("Username") = Request.Form("t xtUsername")
Response.Cookie s("Username").E xpires = DateAdd("m", 1, Now())
Response.Cookie s("Password") = Request.Form("t xtPassword")
Response.Cookie s("Password").E xpires = DateAdd("m", 1, Now())
end if
If Request.Form("c hkRememberMe") = "" Then
Response.Cookie s("Username") = ""
Response.Cookie s("Username").E xpires = DateAdd("m", -3, Now())
Response.Cookie s("Password") = ""
Response.Cookie s("Password").E xpires = DateAdd("m", -3, Now())
end if
'If they made it here, they logged in successfully,
'so set the value of the LoggedIn session variables
Session("Logged In") = "yes"
'Reroute users to appropriate page based on their access level
if objRS("accessle vel")="administ rator" then
Session("isAdmi nLogin") = "yes"
Session("Action ")= "main"
Session("ID") = objRS("ID")
Session("UID")= objRS("Username ")
Session("PWD")= objRS("Password ")
Session("ACL")= objRS("AccessLe vel")
Session("EMAILI D")=objRS("Emai l")
Response.redire ct "../admin/default.asp"
elseif objRS("accessle vel")="educator " then
Session("Action ")= "main"
Session("myAcco untNo") = objRS("vAccount _No")
Session("ID") = objRS("ID")
Session("UID")= objRS("Username ")
Session("PWD")= objRS("Password ")
Session("ACL")= objRS("AccessLe vel")
Session("EMAILI D")=objRS("Emai l")
Response.redire ct "../admin/educator/default.asp"
elseif objRS("accessle vel")="supplier " then
Session("Action ")= "main"
Session("myAcco untNo") = objRS("vAccount _No")
Session("ID") = objRS("ID")
Session("UID")= objRS("Username ")
Session("PWD")= objRS("Password ")
Session("ACL")= objRS("AccessLe vel")
Session("EMAILI D")=objRS("Emai l")
Response.redire ct "../admin/supplier/default.asp"
end if
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
else
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
Session("Messag e") = "Invalid password"
'Response.Redir ect URL_Link"?error =" & Server.URLEncod e(Message)
Response.Redire ct URL_Link
end if
%>

'//--- inc_logout ---
<%
Session.Abandon
Response.Redire ct "../default.asp"
%>

Re: protecting password


"Justin Piper" <jpiper@bizco.c om> wrote in message
news:op.tbf8hfs tcs3d1w@luxembo urg.psg.bizcote ch.com...[color=blue]
> On Mon, 19 Jun 2006 12:18:14 -0500, Anthony Jones <Ant@yadayadaya da.com>
> wrote:[color=green]
> > SSL would seem to be a better way but then you need to get a trusted
> > certificate (for which there may be a cost) and I've not found a way to
> > seemlessly transition from https to a http.
> >
> > Without a trusted certificate the users are likely to get warnings that
> > may
> > put them off.
> >
> > A response.redire ct from https to http also typically puts up a worrying
> > warning to the user. I've tried meta refresh but it will ignore the[/color][/color]
http[color=blue][color=green]
> > URL in the content attribute.[/color]
>
> What version of IE are you seeing this behavior in? I have 6.0.3790.1830
> (W2k3 SP1), and it seems to handle meta refresh correctly. I've included
> the script I used to test below. Change the ``Script`` constant to
> something appropriate.
>
> <% Option Explicit
>
> Const Script = "localhost/login.asp"
>
> Dim action, secure
> action = Request.Form("a ction")
> secure = Request.ServerV ariables("HTTPS ")
> %>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
> "http://www.w3.org/TR/html4/strict.dtd">
> <html>
> <head>
> <title>Defaul t</title>
> <% If action="login" Then %>
> <meta http-equiv="refresh"
> content="0;url= http://<%= Script %>">
> <% End If %>
> </head>
> <body>
> <div>Secure: <%= secure %></div>
> <div>Action: <%= action %></div>
> <form method="post" action="https://<%= Script %>">
> <input type="submit" name="action" value="login">
> </form>
> </body>
> </html>
>[/color]

I was missing the url= from the content attribute. It works fine now
thanks. It is certainly a better solution if you already have a trusted
certificate.
[color=blue]
> --
> Justin Piper
> Bizco Technologies
> http://www.bizco.com/[/color]

Re: protecting password

Anthony Jones wrote:[color=blue][color=green]
>> You honestly think you can build a strong login without it?[/color]
>
> If Challange/Response MD5 or SHA1 is not strong enough for
> you then no otherwise yes.[/color]

But either of those implemented on the client is still vulnerable to
man-in-the-middle attacks, just as SSL without trust is. But you knew that.


[color=blue]
> ...I'd be interested in techniques that allowed SSL to be used
> for login only but did not involved scary message being given
> to the user. Any ideas?[/color]

Login at amazon.com.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.

Re: protecting password


"Dave Anderson" <NYRUMTPELVWH@s pammotel.com> wrote in message
news:OnL5cSIlGH A.1344@TK2MSFTN GP03.phx.gbl...[color=blue]
> Anthony Jones wrote:[color=green][color=darkred]
> >> You honestly think you can build a strong login without it?[/color]
> >
> > If Challange/Response MD5 or SHA1 is not strong enough for
> > you then no otherwise yes.[/color]
>
> But either of those implemented on the client is still vulnerable to
> man-in-the-middle attacks, just as SSL without trust is. But you knew[/color]
that.[color=blue]
>[/color]

Yes I did but even a logon created using trusted SSL is still vunerable to
man-in-the-middle attacks when the session in general operates over
unencrypted http. The attack is unable to actually reveal the password for
later use. The objective of this technique is simply to protect the
password. If the session needs protecting or the content then SSL is needed
for the whole session.
[color=blue]
>
>[color=green]
> > ...I'd be interested in techniques that allowed SSL to be used
> > for login only but did not involved scary message being given
> > to the user. Any ideas?[/color]
>
> Login at amazon.com.
>[/color]

Yes Justin has put me right on this already. With a trusted certificate for
a single machine I would prefer SSL too. Gets a little tricky on IIS to
support multiple SSL websites though and not all my clients want to the
hassle. Clients are nervous about the idea of the password itself floating
about on the internet unencrypted so what I've proposed suits them, their
not exactly MI5.
[color=blue]
>
>
> --
> Dave Anderson
>
> Unsolicited commercial email will be read at a cost of $500 per message.[/color]
Use[color=blue]
> of this email address implies consent to these terms.
>
>[/color]