Login script

Discussion in 'HTML' started by Matt, Jan 14, 2004.

  1. Matt

    Matt Guest

    I've put together a forum (without the forum bit!) that requires
    registration and login. Could someone have a quick look and see what they
    think in terms of password security or any other issues?
    http://d168790.u33.dc-servers.com/forum/forum.asp

    Thanks
     
    Matt, Jan 14, 2004
    #1
    1. Advertising

  2. Matt

    m Guest

    Matt wrote:

    > I've put together a forum (without the forum bit!) that requires
    > registration and login. Could someone have a quick look and see what they
    > think in terms of password security or any other issues?
    > http://d168790.u33.dc-servers.com/forum/forum.asp



    I'm surprised you're mixing this:

    <LINK rel="stylesheet" type="text/css" href="">

    with this:

    <BODY bgcolor="#ffffff" leftmargin="10"
    topmargin="10" marginwidth="0" marginheight="0">
    <TABLE width="100%" border="0" cellspacing="0"
    cellpadding="0" bgcolor="#ffffff">
    <BR><BR>

    ....and don't have a doctype definition.

    I can't see the actual login.asp script.
    --
    cheers, m at mbstevens.com
     
    m, Jan 14, 2004
    #2
    1. Advertising

  3. Matt

    Augustus Guest

    "Matt" <> wrote in message
    news:...
    > I've put together a forum (without the forum bit!) that requires
    > registration and login. Could someone have a quick look and see what they
    > think in terms of password security or any other issues?
    > http://d168790.u33.dc-servers.com/forum/forum.asp
    >


    You don't really have much there... honestly it looks like you put no
    thought into it at all

    A couple of things:

    1) You dont' give any error messages
    2) If I type in something and leave another field blank and hit SUBMIT on
    the signup form, what I typed in should be filled in on the form (and then
    an error message below or around the items that I didn't fill out telling me
    that I didn't fill them out)
    3) For "password" you should have the user type it in twice and then check
    that the two match... if they do then the password is ok, if it doesn't then
    tell the user the 2 passwords don't match. What if somebody has a crappy
    keyboard where a key doesn't work sometimes, or they type so fast and
    sometimes typos are made?
    4) You should line things up
    5) You don't need the same size input boxes for everything. For password
    you have SIZE=10 MAXLENGTH=40... why are you giving me so much room if I can
    only enter 10 characters?
    6) For email I entered "test" and it accepted it... didn't check for any of
    the basic elements that make up an email address
    7) For security, you shouldn't let people's username be the same as password
    8) You should include a "REMEMBER ME" option... if I select this you should
    write a cookie with my userID so that I don't have to log in next time I
    come back

    Ok, thats more than a couple... it'll give you something to start with
    though...

    Clint
     
    Augustus, Jan 14, 2004
    #3
  4. Matt

    Matt Guest

    "Augustus" <> wrote in message
    news:bu3v7h$dc6m7$-berlin.de...
    >
    > "Matt" <> wrote in message
    > news:...
    > > I've put together a forum (without the forum bit!) that requires
    > > registration and login. Could someone have a quick look and see what

    they
    > > think in terms of password security or any other issues?
    > > http://d168790.u33.dc-servers.com/forum/forum.asp
    > >

    >
    > You don't really have much there... honestly it looks like you put no
    > thought into it at all
    >
    > A couple of things:
    >
    > 1) You dont' give any error messages
    > 2) If I type in something and leave another field blank and hit SUBMIT on
    > the signup form, what I typed in should be filled in on the form (and then
    > an error message below or around the items that I didn't fill out telling

    me
    > that I didn't fill them out)
    > 3) For "password" you should have the user type it in twice and then check
    > that the two match... if they do then the password is ok, if it doesn't

    then
    > tell the user the 2 passwords don't match. What if somebody has a crappy
    > keyboard where a key doesn't work sometimes, or they type so fast and
    > sometimes typos are made?
    > 4) You should line things up
    > 5) You don't need the same size input boxes for everything. For password
    > you have SIZE=10 MAXLENGTH=40... why are you giving me so much room if I

    can
    > only enter 10 characters?
    > 6) For email I entered "test" and it accepted it... didn't check for any

    of
    > the basic elements that make up an email address
    > 7) For security, you shouldn't let people's username be the same as

    password
    > 8) You should include a "REMEMBER ME" option... if I select this you

    should
    > write a cookie with my userID so that I don't have to log in next time I
    > come back
    >
    > Ok, thats more than a couple... it'll give you something to start with
    > though...
    >
    > Clint
    >
    >
    >


    Ok, forget about layout, validation etc. I did knock it up in a few
    minutes. Can anyone see any security issues with password and personal
    details? It just uses a MS Access db to store registererd users, could this
    present problems?

    Matt
     
    Matt, Jan 15, 2004
    #4
  5. Matt wrote:

    > Can anyone see any security issues with password and personal
    > details?


    Well it's difficult to see without the source.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
     
    Toby A Inkster, Jan 15, 2004
    #5
  6. Matt

    Matt Guest

    "Toby A Inkster" <> wrote in message
    news:p...
    > Matt wrote:
    >
    > > Can anyone see any security issues with password and personal
    > > details?

    >
    > Well it's difficult to see without the source.
    >
    > --
    > Toby A Inkster BSc (Hons) ARCS
    > Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
    >


    Well the point is, the user can't see the source. Does that mean the
    database cannot be hacked (and is therefore secure)?
     
    Matt, Jan 15, 2004
    #6
  7. Matt

    Augustus Guest

    "Matt" <> wrote in message
    news:eek:...
    >
    > "Toby A Inkster" <> wrote in message
    > news:p...
    > > Matt wrote:
    > >
    > > > Can anyone see any security issues with password and personal
    > > > details?

    > >
    > > Well it's difficult to see without the source.
    > >
    > > --
    > > Toby A Inkster BSc (Hons) ARCS
    > > Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
    > >

    >
    > Well the point is, the user can't see the source. Does that mean the
    > database cannot be hacked (and is therefore secure)?


    No, the user can't see the source of the page, because it is run on the
    server and then the compiled results are sent as html and text...

    That doesn't mean it is secure nor can it be hacked... you are using Access
    as your database... if its stored on the server in the website with a simple
    name, somebody might be able to find it..

    ie: if its: www.mysite.com/database.mdb then I can just type that url in
    and download your database

    Also, you are most likely using include files (if not you should be) and you
    don't end them in .asp (a few years ago alot of asp books suggested using
    ..inc to denote an include file) then they could possibly be found and opened

    IE: if you are using includes files like mydsn.inc then enter the path
    to the file with the name into your browser like
    www.mysite.com/includes/mydsn.inc and see what happens... your asp
    sourcecode isnt' compiled on the server and therefore sent as HTML/text
    (because it doesn't end in the .asp extension the server doesn't know it
    should be compiled on the server)
     
    Augustus, Jan 15, 2004
    #7
  8. Matt wrote:

    > Well the point is, the user can't see the source. Does that mean the
    > database cannot be hacked (and is therefore secure)?


    No, it just means that it's a little more difficult to hack.

    No-one (outside Microsoft) can see the source to Windows. Can it be hacked?

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
     
    Toby A Inkster, Jan 15, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. William F. Robertson, Jr.
    Replies:
    0
    Views:
    458
    William F. Robertson, Jr.
    Jul 2, 2003
  2. Hermit Dave

    Forms Login Page Not Login Out

    Hermit Dave, Jan 12, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    493
    Hermit Dave
    Jan 13, 2004
  3. Nans
    Replies:
    2
    Views:
    20,123
    Martin Marinov
    Jun 17, 2004
  4. Rajat
    Replies:
    3
    Views:
    722
    Jorgen Grahn
    Jan 8, 2010
  5. VYAS ASHISH M-NTB837
    Replies:
    2
    Views:
    584
    Jan Kaliszewski
    Jan 7, 2010
Loading...

Share This Page