login security

[Merlin]

Hey group,

I would like to be able to write a ASP page and on it have a link to another
ASP page. I would like to be able to have a Access Database or similar with
Username and Password and be able to allow users to enter there detail it to
look at the database to check then allow them to open the page if there
correct, anybody got any links or examples?

Ta
Merlin

[Hernan de Lahitte]

This sounds perfect for Forms Authentication with a custom resource auth.
You can see a good example of this here:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp[/url]

This AB might helps for your Authz and user profiles.
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/authpro.asp[/url]

Hernan L.

"Merlin" <test@nospam.com> wrote in message
news:RficnebKhsEyE63dSa8jmw@karoo.co.uk...

> Hey group,
>
> I would like to be able to write a ASP page and on it have a link to

another

> ASP page. I would like to be able to have a Access Database or similar

with

> Username and Password and be able to allow users to enter there detail it

to

> look at the database to check then allow them to open the page if there
> correct, anybody got any links or examples?
>
> Ta
> Merlin
>
>

[Sweens]

Hi all

I was recently told by an 'Internet Securoty expert' that to store both
username and password in a single database was unsafe, and he suggested
using a text file to store passwords. However, having done a quick search
on google, the general opinion seems to be that storing passwords in a text
file is unsafe!

Any opinions? Is the Dreamweaver login behaviour unsafe? If so, how do I go
about creating a safe log in procedure?

I am using MS-SQL and ASP, Vb.

Thanks for any advice

Cheers

Chris

[darrel]

> I was recently told by an 'Internet Securoty expert' that to store both

> username and password in a single database was unsafe

I wouldn't call it unsafe. Perhaps less safe than using two datbases.

> and he suggested
> using a text file to store passwords.

I can't imagine how using a text file would be safer than a DB.

To break into a DB, one would need to compromise the server and then the DB.
To break into a text file, one would need to compromise the server, and then
just look at the text file.

> Any opinions? Is the Dreamweaver login behaviour unsafe? If so, how do I

go

> about creating a safe log in procedure?

How 'safe' are we talking here? Banking? Government secrets? Blog postings?

What's more important than the method is the server. Make sure the server is
secure.

-Darrel

[Sweens]

Thanks, Darrel. There aren't any state secrets on the site, just basic info
about individuals; however I need to be mindful of the Data Protection Act
in the UK.

Chris


"darrel" <notreal@hotmail.com> wrote in message
news:d33kev$eaa$1@forums.macromedia.com...

>> I was recently told by an 'Internet Securoty expert' that to store both
>> username and password in a single database was unsafe

>
> I wouldn't call it unsafe. Perhaps less safe than using two datbases.
>

>> and he suggested
>> using a text file to store passwords.

>
> I can't imagine how using a text file would be safer than a DB.
>
> To break into a DB, one would need to compromise the server and then the
> DB.
> To break into a text file, one would need to compromise the server, and
> then
> just look at the text file.
>

>> Any opinions? Is the Dreamweaver login behaviour unsafe? If so, how do I

> go

>> about creating a safe log in procedure?

>
> How 'safe' are we talking here? Banking? Government secrets? Blog
> postings?
>
> What's more important than the method is the server. Make sure the server
> is
> secure.
>
> -Darrel
>
>

[Michael Fesser]

.oO(Sweens)

>I was recently told by an 'Internet Securoty expert' that to store both
>username and password in a single database was unsafe, and he suggested
>using a text file to store passwords.

Eh?

>However, having done a quick search
>on google, the general opinion seems to be that storing passwords in a text
>file is unsafe!

Store the password in the DB in an encrypted form (MD5 hash or something
like that). On login encrypt the submitted password using the same
algorithm and compare it with the stored one.

Micha

[Sweens]

Hi Micha

You've got me stumped there. Never heard of MD5!

Chris


"Michael Fesser" <netizen@gmx.net> wrote in message
news:f8ed51l3plp8ut0f1f5mq9003613nrlo43@4ax.com...
snip>
Store the password in the DB in an encrypted form (MD5 hash or something
like that). On login encrypt the submitted password using the same algorithm
and compare it with the stored one.

Micha

[Michael Fesser]

.oO(Sweens)

>You've got me stumped there. Never heard of MD5!

MD5 is a hash algorithm (Google should give you more informations).

The point is to not store passwords in plain text, but in an encrypted
form, which cannot be decrypted. That's done with hash functions like
MD5.

Micha