Do you have an option to use email address as a user name? -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cowan Sent: Thursday, January 03, 2008 10:40 AM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] non authenticated security
I really do agree with you but the thing is the data from the feeds that I am importing via SSIS is not clean data.Sometimes all I have is an email address. I would have to comprimise the quality of the users data in order to create a user. The original database would be funny if I was not dealing with it.No foreign keys and pipe delimited fields that are the one-to-many relationships.Unreal. [EMAIL PROTECTED] > Date: Thu, 3 Jan 2008 11:16:14 -0500> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] non authenticated security> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > I would suggest storing only a hash of the PIN/password, but if you take> server compromise out of the picture it doesn't make it any more secure.> > It's "secure" but it could be more secure. Some things that would make it> more secure: mandate passwords of at least 8 characters and include three> types of characters (like lower-case, upper case, and punctuation), don't> accept passwords with real words in them, mandate the password change> every x days, etc.> > I would certainly suggest making them full-fledged users, with different> permissions.> > On Thu, 3 Jan 2008 16:09:11 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote:> > >At present, it is stored as plain text in the database.> >> >At the very least, I should encrypt it I guess.> >> >I was thinking of creating the user when I am importing the contacts via> an SSIS import and then getting the user to change their password on first> login.> >> >But the records are not in great shape.> >> >[EMAIL PROTECTED]> >> >> >> >> Date: Thu, 3 Jan 2008 10:52:54 -0500> From:> [EMAIL PROTECTED]> Subject: Re:> [ADVANCED-DOTNET] non authenticated security> To: ADVANCED-> [EMAIL PROTECTED]> > Is this PIN stored in a database somewhere,> or do they have to re-enter it> after it "expires"?> > On Thu, 3 Jan 2008> 15:54:03 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote:> > >Hi all,I am> migrating an ASP app. to an ASP.NET and have spotted a> potential security> hole.> >Most of the app. I am securing with Forms authentication but as> stands> they have another requirement where by users who are just contacts> who> exist in the system without a username or password can access> certain> parts of the site which are sensitive. They have been entered in> the> system by importing an excel or SAP feed. They have not been created> via> the system and as such do not have usernames or passwords.> >The way> things stand at the minute, the user gets redirected to a page> where they> create a 4 digit pin number which allows them to access the> system via> another page.> >This seems terrible to me.> >Can anyone think of a better> way of handling this situation?> >Cheers> >[EMAIL PROTECTED]>> >_________________________________________________________________> >Telly> addicts unite!> >http://www.searchgamesbox.com/tvtown.shtml>> >===================================> >This list is hosted by> DevelopMentor(r) http://www.develop.com> >> >View archives and manage your> subscription(s) at> http://discuss.develop.com> >> ===================================> This list is hosted by DevelopMentor(r)> http://www.develop.com> > View archives and manage your subscription(s) at> http://discuss.develop.com> >_________________________________________________________________> >Fancy some celeb spotting?> >https://www.celebmashup.com> >===================================> >This list is hosted by DevelopMentor(r) http://www.develop.com> >> >View archives and manage your subscription(s) at> http://discuss.develop.com> > ===================================> This list is hosted by DevelopMentor(r) http://www.develop.com> > View archives and manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ Fancy some celeb spotting? https://www.celebmashup.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
