Sign In

email ID:        





Don't know your password? Click reset to be emailed a new one.

  Edit your name, address and other account information

Remember me on this computer.
This is a new account. Please register it now.

Please don't use your real password(s) with this site until we turn SSL on in production.  

Note regarding the lock symbol:

This page uses asymmetric encryption to secure the password as it is sent over the internet. When creating the page the server generates a 1024 bit public key pair. The public key is sent to the client and used to encrypt the password before it is sent over the internet. The server uses the private key to decrypt the password. It's lightweight efficient and not particularly secure. The Javascript sent to the client is the weakness. 
  • Brute force wont work because the key is used once and the sample is too small.
  • Replay wont work because a new key is generated for each login.
  • Dictionary attacks are limited by the five attempt, suspension logic.
  • The stored password is salted and hashed so even if an attacker gains access to the database it'll be tough to decode.
  • Once we turn SSL to protect Javascript on the client only ultra weak passwords and social engineering will remain as openings for the dedicated attacker.

Note regarding risk of email reset:

Many moderately secure systems employ a password reset feature that emails the new password to the user. This is very convenient but may open a security loophole. Should an attacker be able to sniff your internet connection or gain access to the email server, he will be able to read your email messages. He could then request a password reset and gain access to your account. Other attackers might conduct a nuisance attack against all accounts at a website by requesting resets of all the userids.
The email based reset can be disabled if this is a concern or a personal question can be added to authorize a reset.

Note regarding this design: 2.0 includes a login suite consisting of pages to register, login, change password, logout, request a reset. Information about anonymous users can be collected and stored using the profile facility. Privileges can be assigned to roles and then individual users can be added to the role.

ConsenCIS design accomplishes all these purposes using pages and a SQL Server database. Each visitor is assigned a database record at the beginning of their first visit. If they accept cookies they will be reconnected with this database record each time they visit. Any information they offer will be stored in their own database record and used to improve their experience. If they choose to register they can obtain a password. Registered users can join groups and be assigned roles with the privileges they'll need to use the site.
  f1 f3

Web Application Byf3 ConsenCIS



Valid HTML 4.01! Valid CSS!