As computer systems and particularly internet expand their role in our daily lives, security in computer systems becomes more important, and it’s a vital part of every programmer’s life to make his or her code secure. This is bolder when you go online on the internet or intranet and expose your application to more users and possible threats. The number of security attacks by hackers and their catastrophic impacts (in terms of privacy and money loss) has been increasing and we all can remember many of big highlights that happened in the past few months such as several security attacks to Sony PlayStation Network. As an obvious consequence of these, security has been so important for me, just like everybody else, and it’s scary enough for me that a few times when I was sleeping, I had some nightmares about my sites being hacked! Therefore, I always spend a lot of time to reassure the security of my code and implement different mechanisms to prevent hackers from hurting my online identity. As development technologies have evolved and online software have become bigger, newer techniques, methods, and tools are provided to improve the security of applications at different levels ranging from securing the programming languages to security mechanisms provided like those offered by IIS. Having these said, a few weeks ago my blog was the target of a dictionary attack (Jeff Atwood had a nice post about dictionary attacks as well) by a hacker for almost 24 hours. The hacker, who supposedly thought that I don’t have mechanisms for monitoring the accesses to my blog’s administration area, had tried to perform a dictionary attack on my login page to get access to my blog. This story ended up by me leaving a message for the hacker that was probably read later and forced him/her to stop this pointless attack, however, it made me extra-cautious about security so that I decided to take the security of my websites to the next level, so I can leave such messages for my hackers in the future as well! In this post I’m going to explain the technique that I implemented, 2-step verification by phone, which is going to become a common technique in the near future. Searching on the internet, there wasn’t much information provided about this technique, especially for ASP.NET developers, so I hope that this post can contribute and encourage other developers to implement such mechanisms!
OverviewBefore moving on and talking about what I did, I have to say that in the past years there have been two common techniques used by developers to prevent dictionary attacks that are used either independently or in combination with each other:
Read more: Keyvan Nayyeri
QR:
OverviewBefore moving on and talking about what I did, I have to say that in the past years there have been two common techniques used by developers to prevent dictionary attacks that are used either independently or in combination with each other:
- CAPTCHA validation: Many websites implement some kind of CAPTCHA control that forces the user to enter the text displayed in an image if he fails to log into a website after a few attempts. This prevents automated dictionary attacks, but it has two big issues: first, it has a very bad impact on the usability of the site, and second, it is vulnerable to image processing techniques to parse the image and automatically detect the text in order to continue the dictionary attack.
- Failed login attempt threshold: The other common mechanism is to store the number of failed login attempts and prevent the user to log into the site for a duration of time (e.g., 10 minutes) even if he provides the correct username and password combination. This method, that I’ve used on Waegis, looks more promising than the CAPTCHA controls but has one weakness: it cannot prevent those types of attacks that are testing a combination of usernames and passwords together. In other words, the hacker may be able to find some valid usernames on the site that he can use for bad purposes later.
Read more: Keyvan Nayyeri
QR: