"Ed Jaffe" <ed*********@yahoo.com> wrote in message
news:Oh**************@tk2msftngp13.phx.gbl...
>
Ray, I would like to develope an internet applcation by using ASP/IIS technology. I am not familiar with isapi or .Net. And I don't want to use NT Security "only" because it takes a lot of resource to maintain the accounts.
Tru dat. ;]
>>> My real concern is how to do the login process. I am afraid that if the web-site is using only the anonymous account and have a plain table(User with diff levels) to direct the secured pages access, it will be easy for hacker to break it!!!!
How? I think that 99% of the sites out there use login credentials that are
stored in a database. This is normal. Like everything, you have to balance
security with functionality. Like, if you think that someone is going to
sit there on your login page all day trying to get lucky entering usernames
and passwords, you can add something to your site to track the number of
invalid logins by IP and then deny access to the page from that IP. You can
also mandate password complexity from your users.
For me, as an end user, all I need is a username and password to get into
web banking. From there, I can transfer money, send money to other people
via checks, close accounts, whatever. The only thing protecting me is my
password. This is normal though.
Just don't do anything foolish like use an Access database and put it in
your website where people can download it. And don't let people use blank
passwords. And make people change their passwords. And physical security
of the server is also important.
Ray at work