Topics Upload ImageASP.NetComment ListDemo ItemsFile ManagerHomeImage BankImage Directory ListingItem UpdateMenuParty ManagerSkeleton ContentTimeVisits
|
Consencis
uses ASP.net forms authentication in custom login forms to make
sure each user has access to the functions he is
authorized to use. Like ASP.Net 2.0's builtin security forms, Consencis
implements role based security with hashed and salted passwords. Users
can change their password online or request a password reset be sent to
them at their registered email address.
Consencis goes beyond the Microsoft forms with additional capabilities.
All Consencis users and roles are defined in the database. A layer of capability
protects against session hijacking by associating a portion of the
users IP address with each session. Forms make role assignments a
snap. A unique application of standard
assymetric encryption protects passwords and other critical data
as they cross the internet without requiring SSL. Consencis allows
returning users to be
recognized and granted a degree of authority without having to go
through a logon authentication.
Note regarding the lock symbol:
The login page uses asymmetric encryption to
secure the password as it is sent over the internet. When creating the
page the server generates a 1024 bit public key pair. The public key
is sent to the client and used to encrypt the password
before it is sent over the internet. The server uses the private key to
decrypt the password. It's lightweight efficient and secure. Send me a
note if you see how to crack it. - Brute force wont work because the key is used once and the sample is too small.
- Replay wont work because a new key is generated for each login.
- Dictionary attacks are limited by the five attempt, suspension logic.
- The stored password is salted and hashed so even if an attacker gains access to the database it'll be tough to decode.
- Ultra weak passwords and social engineering are about the only openings for the dedicated attacker.
|