Please don't use your real password(s) with this site until we turn SSL on in production.
Note regarding the lock symbol:
This page uses asymmetric encryption to
secure the password as it is sent over the internet. When creating the
page the server generates a 1024 bit public key pair. The public key
is sent to the client and used to encrypt the password
before it is sent over the internet. The server uses the private key to
- Brute force wont work because the key is used once and the sample is too small.
- Replay wont work because a new key is generated for each login.
- Dictionary attacks are limited by the five attempt, suspension logic.
- The stored password is salted and hashed so even if an attacker gains access to the database it'll be tough to decode.
Note regarding risk of email reset:
Many moderately secure systems employ a password reset feature that
emails the new password to the user. This is very convenient but may
open a security loophole. Should an attacker be able to sniff your
internet connection or gain access to the email server, he will be able
to read your email messages. He could then request a password reset and
gain access to your account. Other attackers might conduct a nuisance attack against all accounts at a website by requesting resets of all the userids. The email based reset
can be disabled if this is a concern or a personal question can be added to authorize a reset.
Note regarding this design:
ASP.net 2.0 includes a login suite consisting of pages to register, login, change password, logout, request a reset. Information about anonymous users can be collected and stored using the profile facility. Privileges can be assigned to roles and then individual users can be added to the role.
ConsenCIS design accomplishes all these purposes using ASP.net pages and a SQL Server database. Each visitor is assigned a database record at the beginning of their first visit. If they accept cookies they will be reconnected with this database record each time they visit. Any information they offer will be stored in their own database record and used to improve their experience. If they choose to register they can obtain a password. Registered users can join groups and be assigned roles with the privileges they'll need to use the site.