«

I've put together a forum (without the forum bit!) that requires
registration and login. Could someone have a quick look and see what they
think in terms of password security or any other issues?
http://d168790.u33.dc-servers.com/forum/forum.asp

Thanks

Matt wrote:

> I've put together a forum (without the forum bit!) that requires
> registration and login. Could someone have a quick look and see what they
> think in terms of password security or any other issues?
> http://d168790.u33.dc-servers.com/forum/forum.asp


I'm surprised you're mixing this:

<LINK rel="stylesheet" type="text/css" href="">

with this:

<BODY bgcolor="#ffffff" leftmargin="10"
topmargin="10" marginwidth="0" marginheight="0">
<TABLE width="100%" border="0" cellspacing="0"
cellpadding="0" bgcolor="#ffffff">
<BR><BR>

....and don't have a doctype definition.

I can't see the actual login.asp script.
--
cheers, m at mbstevens.com

"Matt" <> wrote in message
news:...
> I've put together a forum (without the forum bit!) that requires
> registration and login. Could someone have a quick look and see what they
> think in terms of password security or any other issues?
> http://d168790.u33.dc-servers.com/forum/forum.asp
>

You don't really have much there... honestly it looks like you put no
thought into it at all

A couple of things:

1) You dont' give any error messages
2) If I type in something and leave another field blank and hit SUBMIT on
the signup form, what I typed in should be filled in on the form (and then
an error message below or around the items that I didn't fill out telling me
that I didn't fill them out)
3) For "password" you should have the user type it in twice and then check
that the two match... if they do then the password is ok, if it doesn't then
tell the user the 2 passwords don't match. What if somebody has a crappy
keyboard where a key doesn't work sometimes, or they type so fast and
sometimes typos are made?
4) You should line things up
5) You don't need the same size input boxes for everything. For password
you have SIZE=10 MAXLENGTH=40... why are you giving me so much room if I can
only enter 10 characters?
6) For email I entered "test" and it accepted it... didn't check for any of
the basic elements that make up an email address
7) For security, you shouldn't let people's username be the same as password
You should include a "REMEMBER ME" option... if I select this you should
write a cookie with my userID so that I don't have to log in next time I
come back

Ok, thats more than a couple... it'll give you something to start with
though...

Clint

"Augustus" <> wrote in message
news:bu3v7h$dc6m7$...
>
> "Matt" <> wrote in message
> news:...
> > I've put together a forum (without the forum bit!) that requires
> > registration and login. Could someone have a quick look and see what
they
> > think in terms of password security or any other issues?
> > http://d168790.u33.dc-servers.com/forum/forum.asp
> >
>
> You don't really have much there... honestly it looks like you put no
> thought into it at all
>
> A couple of things:
>
> 1) You dont' give any error messages
> 2) If I type in something and leave another field blank and hit SUBMIT on
> the signup form, what I typed in should be filled in on the form (and then
> an error message below or around the items that I didn't fill out telling
me
> that I didn't fill them out)
> 3) For "password" you should have the user type it in twice and then check
> that the two match... if they do then the password is ok, if it doesn't
then
> tell the user the 2 passwords don't match. What if somebody has a crappy
> keyboard where a key doesn't work sometimes, or they type so fast and
> sometimes typos are made?
> 4) You should line things up
> 5) You don't need the same size input boxes for everything. For password
> you have SIZE=10 MAXLENGTH=40... why are you giving me so much room if I
can
> only enter 10 characters?
> 6) For email I entered "test" and it accepted it... didn't check for any
of
> the basic elements that make up an email address
> 7) For security, you shouldn't let people's username be the same as
password
> You should include a "REMEMBER ME" option... if I select this you
should
> write a cookie with my userID so that I don't have to log in next time I
> come back
>
> Ok, thats more than a couple... it'll give you something to start with
> though...
>
> Clint
>
>
>

Ok, forget about layout, validation etc. I did knock it up in a few
minutes. Can anyone see any security issues with password and personal
details? It just uses a MS Access db to store registererd users, could this
present problems?

Matt

Matt wrote:

> Can anyone see any security issues with password and personal
> details?

Well it's difficult to see without the source.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me - http://www.goddamn.co.uk/tobyink/?page=132

"Toby A Inkster" <> wrote in message
news. ..
> Matt wrote:
>
> > Can anyone see any security issues with password and personal
> > details?
>
> Well it's difficult to see without the source.
>
> --
> Toby A Inkster BSc (Hons) ARCS
> Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
>

Well the point is, the user can't see the source. Does that mean the
database cannot be hacked (and is therefore secure)?

"Matt" <> wrote in message
news...
>
> "Toby A Inkster" <> wrote in message
> news. ..
> > Matt wrote:
> >
> > > Can anyone see any security issues with password and personal
> > > details?
> >
> > Well it's difficult to see without the source.
> >
> > --
> > Toby A Inkster BSc (Hons) ARCS
> > Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
> >
>
> Well the point is, the user can't see the source. Does that mean the
> database cannot be hacked (and is therefore secure)?

No, the user can't see the source of the page, because it is run on the
server and then the compiled results are sent as html and text...

That doesn't mean it is secure nor can it be hacked... you are using Access
as your database... if its stored on the server in the website with a simple
name, somebody might be able to find it..

ie: if its: www.mysite.com/database.mdb then I can just type that url in
and download your database

Also, you are most likely using include files (if not you should be) and you
don't end them in .asp (a few years ago alot of asp books suggested using
..inc to denote an include file) then they could possibly be found and opened

IE: if you are using includes files like mydsn.inc then enter the path
to the file with the name into your browser like
www.mysite.com/includes/mydsn.inc and see what happens... your asp
sourcecode isnt' compiled on the server and therefore sent as HTML/text
(because it doesn't end in the .asp extension the server doesn't know it
should be compiled on the server)

Matt wrote:

> Well the point is, the user can't see the source. Does that mean the
> database cannot be hacked (and is therefore secure)?

No, it just means that it's a little more difficult to hack.

No-one (outside Microsoft) can see the source to Windows. Can it be hacked?

--
Toby A Inkster BSc (Hons) ARCS
Contact Me - http://www.goddamn.co.uk/tobyink/?page=132