What is the best way to secure my website

what is the best way to secure my website.

Currently I have a "Users_table" where I have all the records of my users , passwords and there access level.  I have a screen where the user can change there own password, everytime they want to change there password, they will be inform if it is "weak, medium or strong" (AJAX Password Strength).

My question is, is this enough?  Please help...

11/21/2007 2:32:34 AM
asp.net.security 27051 articles. 1 followers. Follow

4 Replies

Similar Articles

[PageSpeed] 25

This really depends on how far you want to go and how much work are you prepared to do to secure your site.

Here are some things that you may do

  • Use HTTPS connection 
  • Encrypt the password before storing it in the database or even use a 1 way hash
  • Encrypt the database connection string in your web.config file
  • Enforce password age.  ie. force user to change password every so often.


DiscountASP.NET: Developer Ready ASP.NET Web Hosting
- Microsoft Gold Certified Partner
- Voted 2008, 2007, 2006 & 2005 Best ASP.NET Web Hosting by asp.netPRO Magazine
11/21/2007 3:18:35 AM

1. I like the idea on encrypting the password before storing it in the databse and encryspting the database connection in my web config. 

 Is there a good site where I can learn this ?

2.  What do u mean "Use HTTPS connection"?

11/21/2007 5:07:17 AM

I've downloaded a "Hash Password Generator".  I am going to use the generated hash password as my values to be save in my database.  The problem is "can it be decrypted?.  I am thinking of a possible scenario where the user will forget there password.

11/21/2007 6:58:25 AM

1) Try http://aspnet.4guysfromrolla.com/articles/103002-1.aspx

2) use HTTPS (SSL) connection for the login page.

3) If you use one way hash, you cannot retrieve the password.

DiscountASP.NET: Developer Ready ASP.NET Web Hosting
- Microsoft Gold Certified Partner
- Voted 2008, 2007, 2006 & 2005 Best ASP.NET Web Hosting by asp.netPRO Magazine
11/21/2007 7:49:21 PM

Similar Artilces:

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

What is the best way to secure complex website?
I have noticed two methods:1) Copy stuff to Secure directory with seperate web.config. The problem I see with this solution is that it may messed up my existing links...2) Put the following code to the Load function:'If (Not User.Identity.IsAuthenticated) Then' Throw New Exception("User must be authenticated. Refer to IIS documentation on setting up user authentication.")'End If The problem here is that I must update each form, seems like a lot of manual work and redundant code. Can I use partial classes for this?The final question is, is there any other method? Wh...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

What are the best practices for using master pages on websites that serve both secure and non-secure pages?
I have been assigned a task to cleanup an application that is using a master page that is shared by all pages (secure and non-secure). Secure pages are stored in a sub folder "/Secure"  They have used a mix of relative and absolute urls and paths on the master page, and all absolute urls use http (not https). That is causing the secure pages to display the "this page contains both secure and on-secure items..." They have also copied most all images to a folder inside "/Secure" so that the reliave image paths on the master page keep working wither th...

How Secure is a .NET website?
Hi All, I know this is probably a bit of an open question but I really need to find somewhere to start. At my place of work we are looking at providing a set of Web Applications that will link the external customers into our internal network systems. This means they can manage all their account details and place orders directly. What is proposed at the moment is to place this Web Apps in a DMZ zone which is accessed through a gateway to the internet. My question is how secure can a web application be? The sessions and log process are all handled through Forms authentication and we will ...

(IN)SECURE Magazine from Net-Security (PDF download)
A little more light reading :-) Latest issue, #13: http://www.net-security.org/insecuremag.php (86 pages, with ads [not animated ads] - like a printed magazine) Archives of past issues: http://www.net-security.org/insecure-archive.php ISSUE 13 (September 2007) * Interview with Janne Uusilehto, Head of Nokia Product Security * Social engineering social networking services: a LinkedIn example * The case for automated log management in meeting HIPAA compliance * Risk decision making: whose call is it? * Interview with Zulfikar Ramzan, Senior Principal Re...

This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

Best way to secure my app
I have a very simple ASP.NET application.  It consists of one page which is a visio image map which has links to a second page which dynamically lists files in certain directories based on the query string.  The app currently has no need for a database. The app currently sits on one server, lets call it server2.  In it's network is another server called server1 which holds the active directory. What would be the best way to secure this application?  I would prefer authenticating to active directory as it would make user management easy since they would use the same ...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

ISS secured and non-secured website via powerdynamo
I have created two websites in PD which connects two two different database. One is for secured application and the other for non-secured application. Finally in IIS we have two virtual directory sybase under different folders. One of the folder we put as secured site. However using the port number of non-secured website users able to access the secured website. How do I overcome this security loophole? Thanks for your advice. Syed ...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

Web resources about - What is the best way to secure my website - asp.net.security

Website - Wikipedia, the free encyclopedia
is a set of related web pages typically served from a single web domain . A website is hosted on at least one web server , accessible via a network ...

Motherfucking website
This. ∞ Read this on The Loop

ISIS: CloudFlare CEO slams Anonymous’ claims that he’s protecting terrorists’ websites
... in the middle of the cyberwar between Anonymous and Islamic State, with the hacking collective accusing it of helping keep terrorist websites ...

First test of anti-piracy website-blocking laws targets small ISP
Experts say obscure case stretches definition of copyright infringement.

French state of emergency allows website blocking, device search powers
... state of emergency to three months, and granting the authorities new powers to carry out searches of seized devices, and to block websites. ...

Is your website ready for Black Friday traffic?
... however companies continue to be beaten by demand. Last year, customers had to wait for up to an hour in a virtual queue for Currys website ...

25 new Black Friday deals now live on Best Buy’s website
On Monday, Best Buy kicked off its Black Friday 2015 sales by giving its Elite and Elite Plus members early access to key deals. Now it's decided ...

Five Ways You Can Prevent Your Website From Getting Defaced
... throwing a brick through a window or covering a wall with crude graffiti. Out of either boredom, malice, or spite, a hacker cracks into a website, ...

Rihanna and Samsung unveil cryptic interactive website to preview new album
Rihanna hasn't released an album since 2012, but she revealed an interactive website promoting "Anti," her eighth album, Sunday night. During ...

Criminalize websites that won't delete terrorist content, say European legislators
Companies that host or operate websites should be held criminally liable if they fail to remove content that incites terrorism, members of the ...

Resources last updated: 11/26/2015 11:17:11 AM