5

I have been making basic forms applications in C# for a year or two now and have done some very basic log in forms (plain text passwords etc).

I am looking for a better, more secure option for security. I have looked and found some articles about .net membership and I have come across it before in other applications I have used. I feel that searching google sends me around in loops of why X is better than Y and also the resources are diluted by various reccomendations from 3-5 years + ago.

I am very comfortable with SQL and use Visual Studio Express for my development.

All I am looking for is a good resource / link to the most common authentication methods around. This site will eventually end up live on the internet so needs to be secure.

Thank you.

Geraint Llewelyn
  • 61
  • 1
  • 3
  • Look the answers to that question: http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s – Aristos Apr 16 '13 at 14:28

3 Answers3

2

I use the ASP.NET Login Controls. There are other solutions, but this is one area (much like encryption) where I think you're better off not coding up your own solution - there are too many ways to fail.

See also What should every programmer know about security?

Community
  • 1
  • 1
Dan Pichelman
  • 2,312
  • 2
  • 31
  • 42
0

First of all the only way You can secure send password is SSL. The only excepion for this is for internet sites which are using windows integrated authentication. Buti in this case You do not send password (so it is still ok).

Second part is storing passwords. If you store them plain, somebody can hack your server and get them. That is way you should store hash of the password.

Piotr Stapp
  • 19,392
  • 11
  • 68
  • 116
  • Would you reccomend using Windows authentication for a website? this could be an option for us. I could then index them back to a user in the database based on username. – Geraint Llewelyn Apr 16 '13 at 14:04
  • If you can (so it is internal site) it is the best option for users, because they have integrated login without password (SSO). For You it is also a good choice, because authentication is done by system, so you do not have to care about it – Piotr Stapp Apr 16 '13 at 14:24
0

For me the best way is 2 way authentiation. I use SMS service and password. Passwords are stored in database where every character is hashed(SHA512 or md5) with SALT. Salt is neccesary because if someone gets into your database he can find passwords and check them in dictionaries. I force user to randomly enter some characters of password + valid code from sms.

Also good way is to use CAPTCHA when user fails to enter data several times.

You should log such invalid login tries and if you think there can be attack on this account, you should block it and inform user about it.

Robert
  • 19,800
  • 5
  • 55
  • 85