Sep 24
Patrick Larkin Looking for input: Authentication
Sep 24, 2007; 11:39
Patrick Larkin
Looking for input: Authentication
Sep 24
Jonathan Vanherpe (T & T NV Re: Looking for input: Authentication
Sep 24, 2007; 11:49
Jonathan Vanherpe (T & T NV
Re: Looking for input: Authentication
Sep 24
Brian Loomis Re: Looking for input: Authentication
Sep 24, 2007; 12:00
Brian Loomis
Re: Looking for input: Authentication
Sep 24
Patrick Larkin Re: Looking for input: Authentication
Sep 24, 2007; 12:01
Patrick Larkin
Re: Looking for input: Authentication
Sep 24
Bil Corry Re: Looking for input: Authentication
Sep 24, 2007; 12:05
Bil Corry
Re: Looking for input: Authentication
Patrick Larkin wrote on 9/24/2007 10:39 AM:
> Is what I'm currently doing enough? Any other pointers on how to
> protect my site from being attacked or possibly cracked? I'd really
> appreciate any feedback or pointers to any scripts which people think
> are good models for what I want to do.
Some thoughts:
(1) Require all connections run through HTTPS.
(2) When starting a session, store the user's [client_browser] and [client_ip] and check they match on every subsequent page request. This will help protect against sidejacking.
(3) Not sure if you can have everyone update their password, but if so, it'd be better to use RIPEMD160 instead of MD5. And you should add a salt to the hash. Below is a ctag I wrote that takes a password, generates a random salt and uses a "cost" to generate the hash. You then use those components to recreate the hash given a password to compare against. More about salts and "cost" are discussed here:
<http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/>
(4) Limit a log-in to just one person at a time (don't allow same person to log in multiple times simultaneously)
(5) Limit the number of failed log-ins before either the account is locked or delayed-locked.
(6) Auto-blacklist any abusive IP (hack attempts, too many connections per second, suspicious requests, etc).
- Bil
[
define_tag:'lp_crypt_hash',
-required='string',-copy, // text to hash, or check hash against
-optional='cost',-copy, // default is 20, can be any number between 1 and ????
-optional='saltLength', // default is a random length between 10 and 20, you can set it to a static size
-optional='hash',-type='string',-copy, // known hash to compare unknown hash against
-optional='salt', // salt to use for hash
-optional='map'; // this causes the tag to return a map of the hash, salt and cost. default is to return a single string with them all embedded
/*
based on code from Greg Willits and ideas from
http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/
as configured, the largest size the hash returned will be 87 characters
*/
// get hash, if possible
if: (local_defined:'hash') && !(local_defined:'salt');
(fail_if: #hash->size < 14, -1, 'hash size too small');
local:'lassoVersion' = #hash->(substring: 1, 6);
local:'costLength' = (integer: #hash->(substring: 7,1));
local:'cost' = (integer: #hash->(substring: 8, #costLength));
local:'saltLength' = (lp_math_hextodec: #hash->(substring: 8 + #costLength,4));
local:'salt' = #hash->(substring: 12 + #costLength, #saltLength);
#hash = #hash->(substring: 12 + #costLength + #saltLength);
else: !(local_defined:'salt');
if: (local_defined:'saltLength');
local:'salt' = (lp_string_random: (integer:#saltLength));
else;
local:'salt' = (lp_string_random: (math_random: -min=10, -max));
/if;
/if;
if: !(local_defined:'cost');
local:'cost' = 20;
else;
#cost = (integer: #cost);
/if;
if: #cost < 1;
#cost == 1;
/if;
loop: #cost;
#string = (string: (cipher_digest: (#salt + #string), -digest='RIPEMD160', -hex));
/loop;
if: (local_defined:'hash');
if: #hash == #string;
return: true;
else;
return: false;
/if;
/if;
if: (local_defined:'map');
return: (map:'hash' = #string, 'salt' = #salt, 'cost' = #cost);
/if;
return: (lp_lasso_version:-compact) + (string:#cost)->size + #cost + (lp_string_pad: (lp_math_dectohex: #salt->size), 4) + #salt + #string;
/define_tag;
// save user password
var:'userpassword' = 'secret*1000password';
var:'hash_to_save_to_user_record' = (lp_crypt_hash:$userpassword);
'The hash for the user password is ' + $hash_to_save_to_user_record;'<br>';
'<br>';
// check user password where it's valid
var:'entered_password_to_check' = 'secret*1000password';
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account);'<br>';
// check user password where it's non-valid
var:'entered_password_to_check' = 'Secret*1000password'; // opps, user captialized the first letter, it won't work!
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account);'<br>';
'<hr>';
// save user password
var:'userpassword' = 'secret*1000password';
var:'hash_to_save_to_user_record' = (lp_crypt_hash:$userpassword,-map);
'The hash for the user password is ' + $hash_to_save_to_user_record;'<br>';
'<br>';
// check user password where it's valid
var:'entered_password_to_check' = 'secret*1000password';
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account->(find:'hash'),-salt=$hash_stored_in_user_account->(find:'salt'),-cost=$hash_stored_in_user_account->(find:'cost'));'<br>';
// check user password where it's non-valid
var:'entered_password_to_check' = 'Secret*1000password'; // opps, user captialized the first letter, it won't work!
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account->(find:'hash'),-salt=$hash_stored_in_user_account->(find:'salt'),-cost=$hash_stored_in_user_account->(find:'cost'));'<br>';
]
--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/
Sep 24
Jonathan Vanherpe (T & T NV Re: Looking for input: Authentication
Sep 24, 2007; 12:10
Jonathan Vanherpe (T & T NV
Re: Looking for input: Authentication
Sep 24
Patrick Larkin Re: Looking for input: Authentication
Sep 24, 2007; 12:11
Patrick Larkin
Re: Looking for input: Authentication
Sep 24
Greg Willits Re: Looking for input: Authentication
Sep 24, 2007; 12:51
Greg Willits
Re: Looking for input: Authentication
Sep 24
Patrick Larkin Re: Looking for input: Authentication
Sep 24, 2007; 13:51
Patrick Larkin
Re: Looking for input: Authentication
Sep 24
Bil Corry Re: Looking for input: Authentication
Sep 24, 2007; 14:30
Bil Corry
Re: Looking for input: Authentication
Sep 24
Patrick Larkin Re: Looking for input: Authentication
Sep 24, 2007; 14:34
Patrick Larkin
Re: Looking for input: Authentication
Sep 24
Patrick Larkin Re: Looking for input: Authentication
Sep 24, 2007; 14:44
Patrick Larkin
Re: Looking for input: Authentication
Sep 24
Fletcher Sandbeck Re: Looking for input: Authentication
Sep 24, 2007; 14:46
Fletcher Sandbeck
Re: Looking for input: Authentication
Sep 24
Eric Browning Re: Looking for input: Authentication
Sep 24, 2007; 15:16
Eric Browning
Re: Looking for input: Authentication
Sep 24
Patrick Larkin Re: Looking for input: Authentication
Sep 24, 2007; 15:25
Patrick Larkin
Re: Looking for input: Authentication
Sep 24
Bil Corry Re: Looking for input: Authentication
Sep 24, 2007; 15:30
Bil Corry
Re: Looking for input: Authentication
Sep 24
Greg Willits Re: Looking for input: Authentication
Sep 24, 2007; 17:49
Greg Willits
Re: Looking for input: Authentication
Sep 24
Greg Willits Re: Looking for input: Authentication
Sep 24, 2007; 18:00
Greg Willits
Re: Looking for input: Authentication
Sep 24
Greg Willits Re: Looking for input: Authentication
Sep 24, 2007; 18:03
Greg Willits
Re: Looking for input: Authentication
Sep 24
Marc Pinnell Re: Looking for input: Authentication
Sep 24, 2007; 18:13
Marc Pinnell
Re: Looking for input: Authentication
Sep 24
Greg Willits Re: Looking for input: Authentication
Sep 24, 2007; 18:31
Greg Willits
Re: Looking for input: Authentication
Sep 24
Fletcher Sandbeck Re: Looking for input: Authentication
Sep 24, 2007; 19:26
Fletcher Sandbeck
Re: Looking for input: Authentication
Sep 24
Nikolaj de Fine Licht Re: Looking for input: Authentication
Sep 24, 2007; 21:51
Nikolaj de Fine Licht
Re: Looking for input: Authentication
Sep 24
Nikolaj de Fine Licht Re: Looking for input: Authentication
Sep 24, 2007; 21:51
Nikolaj de Fine Licht
Re: Looking for input: Authentication
Sep 25
Johan Solve Re: Looking for input: Authentication
Sep 25, 2007; 09:50
Johan Solve
Re: Looking for input: Authentication
Sep 25
Bil Corry Re: Looking for input: Authentication
Sep 25, 2007; 10:16
Bil Corry
Re: Looking for input: Authentication
Sep 25
Patrick Larkin Re: Looking for input: Authentication
Sep 25, 2007; 10:28
Patrick Larkin
Re: Looking for input: Authentication
Sep 25
Patrick Larkin Re: Looking for input: Authentication
Sep 25, 2007; 10:28
Patrick Larkin
Re: Looking for input: Authentication
Sep 25
Greg Willits Re: Looking for input: Authentication
Sep 25, 2007; 13:31
Greg Willits
Re: Looking for input: Authentication
Sep 25
Patrick Larkin Re: Looking for input: Authentication
Sep 25, 2007; 13:51
Patrick Larkin
Re: Looking for input: Authentication
Sep 25
Greg Willits Re: Looking for input: Authentication
Sep 25, 2007; 14:14
Greg Willits
Re: Looking for input: Authentication
Oct 04
Marc Pinnell Re: Looking for input: Authentication
Oct 04, 2007; 20:18
Marc Pinnell
Re: Looking for input: Authentication
Oct 04
Greg Willits Re: Looking for input: Authentication
Oct 04, 2007; 20:38
Greg Willits
Re: Looking for input: Authentication
Oct 04
Marc Pinnell Re: Looking for input: Authentication
Oct 04, 2007; 20:41
Marc Pinnell
Re: Looking for input: Authentication
Oct 04
Bil Corry Re: Looking for input: Authentication
Oct 04, 2007; 20:50
Bil Corry
Re: Looking for input: Authentication
Oct 04
Marc Pinnell Re: Looking for input: Authentication
Oct 04, 2007; 20:58
Marc Pinnell
Re: Looking for input: Authentication
Oct 04
Steve Piercy - Web Site Builder Re: Looking for input: Authentication
Oct 04, 2007; 22:19
Steve Piercy - Web Site Builder
Re: Looking for input: Authentication
Oct 04
Marc Pinnell Re: Looking for input: Authentication
Oct 04, 2007; 22:27
Marc Pinnell
Re: Looking for input: Authentication
Oct 05
Steve Piercy - Web Site Builder Re: Looking for input: Authentication
Oct 05, 2007; 02:41
Steve Piercy - Web Site Builder
Re: Looking for input: Authentication
Oct 05
Marc Pinnell Re: Looking for input: Authentication
Oct 05, 2007; 11:06
Marc Pinnell
Re: Looking for input: Authentication