473,387 Members | 1,585 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > process security for website

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Process security for website

Hi all,

A new project I'm working on requires a high level of security - possibly
around the same level used by banks as its deling with highly confidential
medical info.

I'm thinking about the process of letting users register and get their
password.

The current suggestion is that when a user registers an interest, a staff
member has to authorise that persons entry into the site.
If the staff member believes this person to be legit, then they user is sent
an email asking them to come to the site.

When the user follows the link, they are told that they are about to be sent
their password (by email) and that it will be valid for 5 mins. The user
picks up their email, logs in and completes registration.

Now, that seems to me to be a rather drawn out solution.

Has anyone else implemented a solution that is ultra secure but also
relatively simple

Thanks all

Simon
Nov 18 '05 #1
1 900
Simon,

There are some rather big problems with the proposed solution, including the
following:

1. If you set the "timeout" on the invitation to be sufficient short that
it is unlikely that someone will pick the credentials off an SMTP server
before the user receives the e-mail, you will also have a reasonably high
likelihood of the target recipient not receiving it in time. This means
that you should also plan for more "manual" processing, such as allowing the
new user to phone in for their temporary password. This also incurs risk
since it can be difficult to validate the identity of a caller.

2. If a potential attacker learns of the approval process (e.g.: by
attempting a new registration), an interception trap could be set for any
messages matching the pattern, allowing the attacker to receive the
temporary credentials before or instead of the intended recipient. This
attacker might be, for example, an employee of the ISP via which the e-mails
are being sent, so setting such a trap may be quite trivial.

While encrypting the e-mail would be a potential workaround for the above
problems, a better approach would be to allow the new user to enter their
desired credentials with the initial request. Then, instead of transmitting
credentials in the subsequent e-mail, simply send a message indicating
whether the registration request was approved or denied. Obviously, there
are still plenty of issues surrounding validation of the requester's
identity, but I'm guessing that the staff approval might be intended to
address at least part of that problem.

HTH,
Nicole

"Simon Harvey" <sh856531@microsofts_free_email_service.com> wrote in message
news:uj**************@tk2msftngp13.phx.gbl...
Hi all,

A new project I'm working on requires a high level of security - possibly
around the same level used by banks as its deling with highly confidential
medical info.

I'm thinking about the process of letting users register and get their
password.

The current suggestion is that when a user registers an interest, a staff
member has to authorise that persons entry into the site.
If the staff member believes this person to be legit, then they user is
sent
an email asking them to come to the site.

When the user follows the link, they are told that they are about to be
sent
their password (by email) and that it will be valid for 5 mins. The user
picks up their email, logs in and completes registration.

Now, that seems to me to be a rather drawn out solution.

Has anyone else implemented a solution that is ultra secure but also
relatively simple

Thanks all

Simon

Nov 18 '05 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
ASP Process Problem
by: Novneet Jain | last post by:
Hi, I m facing a problem in ASP. That is on the production machine when I deploy my product at that time it dosenot perform a particular process. But on my devlopment machine it runs perfectly...
ASP / Active Server Pages
2
aspnet_wp process 100%
by: Sidharth | last post by:
Hello, We are experiencing some issues with the aspnet_wp process on our live servers. The problems are intermittent and we cannot reproduce it on our dev and test servers. Currently around...
ASP.NET
0
Process.Start() with username and password hangs
by: Paul | last post by:
Hi, I'm trying to kick off the iiscnfg.vbs from a webservice to export a website's config to an xml file (And eventually populate other servers with the config). I initially tried this using the...
.NET Framework
6
Process.Start problem
by: Cosmin Spirescu | last post by:
Hi, It should be something very simple, but I do not know what I do wrong. I display some PDF filenames form a folder into a gridview and when the user clicks on the name, it execute this...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!