Sitefinity Blogs

Little known Sitefinity configuration settings
More detailed examples for Sitefinity component usage
Work-arounds for Sitefinity limitations
Discoveries and Ah-Ha moments

Is your Website login secure?

by Rich Winslow | May 15, 2010

Login Methods

ASP.Net provides different ways to login and Sitefinity utilizes them:

Forms login
Windows Active Directory login
SSL Forms login
SSL Windows Active Directory login

When considering a login method, you need to consider the importance of the data you are protecting. However, you also need to consider the privileged operations as well.

What damage could be done if the information was visible to non-priviledged users even if the information cannot be modified (ex. selling information, visibililty of salaries)?
What damage could be done if privileged operations could be carried out on that information (ex. deletion of years of compiled information, addition or modification of information that could damage one's reputation)?

How dangerous is Non-SSL Login?

So you determined that you need to protect your information and privileged operations behind a login screen... but how secure is the login process?

Did you know that non-SSL logins pass usenames and passwords as PLAIN TEXT over the Internet?

People have a false sense of security thinking that an Active Directory login without SSL is secure. As a matter of fact...

Active Directory logins without SSL can be more dangerous than Forms Login without SSL.

This is because Forms login is typically isolated to that specific application, while an Active Directory login could give the fort away for privileged access to an entire company's infrastructure and core systems.

We highly discourage the use AD login without SSL

Where should you use SSL?

SSL should be used on all login screens, but SSL needs to be applied to all web pages that execute privileged operations and/or display sensitive data:

User Management (create, modify, delete of users; display of passwords)
Role Assignment (granting/revoking privileges)
Personal/Personnel Information (display addresses, salaries, SSN)
Credit Card processing (credit card numbers and pin numbers)

Web pages without SSL can be captured by anyone monitoring the Internet, especially in public places (ex. Wi-Fi hotspots, Internet cafes, hotel networks).

We recommend SSL for ALL pages and operations that a login protects.

How to Strengthen the Login Process?

along with strict password creation rules:

At least 8 characters long

Require mixed-case (ex. at least one capital letter)

Require alpha-numeric (ex. at least one numeric character)

Do not use common words

Only allow 5 login attempts then lock the user out for 20 mins

Use a Captcha control to force human login.

We recommend all of the above restrictions.

If you have further questions, please contact us at Automated Results

3 Comments

1 cheap jordans free shipping 25 Apr
delayed [b][url=http://www.louisvuittononline1854.com/damier-azur-canvas-C23.html]louis vuitton speedy azur 35[/url][/b] [b][url=http://www.louisvuittononline1854.com/damier-azur-canvas-C23.html]lv damier azur speedy 30[/url][/b] [b][url=http://www.louisvuittononline1854.com/]louis vuitton neverfull mm[/url][/b] [b][url=http://www.louisvuittononline1854.com/monogram-denim-C4.html]denim louis vuitton bag[/url][/b] Miss Wang [b][url=http://www.louisvuittononline1854.com/monogram-denim-C4.html]denim louis vuitton[/url][/b] this Spring [b][url=http://www.louisvuittononline1854.com/damier-azur-canvas-C23.html]louis vuitton damier azur hampstead pm[/url][/b] Festival travel .
2 cheap jordans free shipping 25 Apr
delayed louis vuitton speedy azur 35 lv damier azur speedy 30 louis vuitton neverfull mm denim louis vuitton bag Miss Wang denim louis vuitton this Spring louis vuitton damier azur hampstead pm Festival travel .
3 cheap jordans free shipping 25 Apr
? <a href=http://www.louisvuittononline1854.com/suhali-leather-C33.html>louis vuitton suhali leather bags</a> <a href=http://www.louisvuittononline1854.com/suhali-leather-C33.html>lv suhali bag</a> chapter <a href=http://www.louisvuittononline1854.com/>louis vuitton neverfull mm</a> one :we are the Chinese <a href=http://www.louisvuittononline1854.com/suhali-leather-C33.html>louis vuitton suhali lockit</a> Young <a href=http://www.louisvuittononline1854.com/suhali-leather-C33.html>louis vuitton suhali bag</a> <a href=http://www.louisvuittononline1854.com/monogram-empreinte-C6.html>monogram empreinte louis vuitton</a> Pioneers.

Comment

Your name Click to add
Email (optional) Click to add
Website (optional) Click to add

Comment

Why Give Our Secrets Away?

I often get asked why I'm willing to journal all of my Sitefinity discoveries. People think I'm insane to give away for free what I labored over at some point.

Let me answer that in 2 parts:

Why journal my discoveries?

Because I forget and I want to a library of knowledge to refer back to. Oh but it is far worse than that... THREE TIMES now, I've gone to Google and searched for a solution to a problem, only to find MY OWN BLOG entry is #1 in Google and viola! there's the solution!
Why give it away for free?

Because others have been kind enough to do it for us; what goes around, comes around.

There are all levels of experience, thus someone with less experience may defer to us when needed.

The lines of 'competition' are very much blurred; in our minds competition is a potential customer or partnership in the right situation.

We maintain healthy partnerships with one of our competitors; they come to us when they need help and visa versa.

There is plenty of work out there for everyone if you are putting out quality work and you are straightforward with clients and competition.

Talk to us about how we can help YOU!

Drop us an email
Give us a call: 828-862-6667 x300

Don't miss out!

Keep up with our Sitefinity discoveries!
Click on the RSS feed icon below or sign up for our newsletter.

Email Address: