Patrick Larkin wrote on 9/24/2007 10:39 AM:
> Is what I'm currently doing enough? Any other pointers on how to
> protect my site from being attacked or possibly cracked? I'd really
> appreciate any feedback or pointers to any scripts which people think
> are good models for what I want to do.

Some thoughts:

(1) Require all connections run through HTTPS.

(2) When starting a session, store the user's [client_browser] and [client_ip] and check they match on every subsequent page request. This will help protect against sidejacking.

(3) Not sure if you can have everyone update their password, but if so, it'd be better to use RIPEMD160 instead of MD5. And you should add a salt to the hash. Below is a ctag I wrote that takes a password, generates a random salt and uses a "cost" to generate the hash. You then use those components to recreate the hash given a password to compare against. More about salts and "cost" are discussed here:

<http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/>

(4) Limit a log-in to just one person at a time (don't allow same person to log in multiple times simultaneously)

(5) Limit the number of failed log-ins before either the account is locked or delayed-locked.

(6) Auto-blacklist any abusive IP (hack attempts, too many connections per second, suspicious requests, etc).


- Bil


[

define_tag:'lp_crypt_hash',
-required='string',-copy, // text to hash, or check hash against
-optional='cost',-copy, // default is 20, can be any number between 1 and ????
-optional='saltLength', // default is a random length between 10 and 20, you can set it to a static size
-optional='hash',-type='string',-copy, // known hash to compare unknown hash against
-optional='salt', // salt to use for hash
-optional='map'; // this causes the tag to return a map of the hash, salt and cost. default is to return a single string with them all embedded

/*
based on code from Greg Willits and ideas from
http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/

as configured, the largest size the hash returned will be 87 characters
*/

// get hash, if possible
if: (local_defined:'hash') && !(local_defined:'salt');
(fail_if: #hash->size < 14, -1, 'hash size too small');
local:'lassoVersion' = #hash->(substring: 1, 6);
local:'costLength' = (integer: #hash->(substring: 7,1));
local:'cost' = (integer: #hash->(substring: 8, #costLength));
local:'saltLength' = (lp_math_hextodec: #hash->(substring: 8 + #costLength,4));
local:'salt' = #hash->(substring: 12 + #costLength, #saltLength);
#hash = #hash->(substring: 12 + #costLength + #saltLength);
else: !(local_defined:'salt');
if: (local_defined:'saltLength');
local:'salt' = (lp_string_random: (integer:#saltLength));
else;
local:'salt' = (lp_string_random: (math_random: -min=10, -max));
/if;
/if;

if: !(local_defined:'cost');
local:'cost' = 20;
else;
#cost = (integer: #cost);
/if;
if: #cost < 1;
#cost == 1;
/if;

loop: #cost;
#string = (string: (cipher_digest: (#salt + #string), -digest='RIPEMD160', -hex));
/loop;

if: (local_defined:'hash');
if: #hash == #string;
return: true;
else;
return: false;
/if;
/if;

if: (local_defined:'map');
return: (map:'hash' = #string, 'salt' = #salt, 'cost' = #cost);
/if;

return: (lp_lasso_version:-compact) + (string:#cost)->size + #cost + (lp_string_pad: (lp_math_dectohex: #salt->size), 4) + #salt + #string;

/define_tag;


// save user password
var:'userpassword' = 'secret*1000password';
var:'hash_to_save_to_user_record' = (lp_crypt_hash:$userpassword);
'The hash for the user password is ' + $hash_to_save_to_user_record;'<br>';
'<br>';
// check user password where it's valid
var:'entered_password_to_check' = 'secret*1000password';
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account);'<br>';
// check user password where it's non-valid
var:'entered_password_to_check' = 'Secret*1000password'; // opps, user captialized the first letter, it won't work!
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account);'<br>';


'<hr>';

// save user password
var:'userpassword' = 'secret*1000password';
var:'hash_to_save_to_user_record' = (lp_crypt_hash:$userpassword,-map);
'The hash for the user password is ' + $hash_to_save_to_user_record;'<br>';
'<br>';
// check user password where it's valid
var:'entered_password_to_check' = 'secret*1000password';
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account->(find:'hash'),-salt=$hash_stored_in_user_account->(find:'salt'),-cost=$hash_stored_in_user_account->(find:'cost'));'<br>';
// check user password where it's non-valid
var:'entered_password_to_check' = 'Secret*1000password'; // opps, user captialized the first letter, it won't work!
var:'hash_stored_in_user_account' = $hash_to_save_to_user_record; // pretend we pulled this from the user record, based on their username
'The password is valid? ' + (lp_crypt_hash:$entered_password_to_check,-hash=$hash_stored_in_user_account->(find:'hash'),-salt=$hash_stored_in_user_account->(find:'salt'),-cost=$hash_stored_in_user_account->(find:'cost'));'<br>';


]


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/