Use Captcha ( http://en.wikipedia.org/wiki/Captcha ) for both the login
page and the password recovery page. This will deter any automated
brute-force attacks. I have found captcha technique to be very useful in
preventing brute force attacks.
Thanks.
Saqib Ali
http://validate.sf.net
steve wright <steviewr1ght@yahoo.com> wrote on 10/07/2004 02:45:04 PM:
Hello!
I need to design a web application that incorporates a
layered password login page since I can not use
client-side certificates etc for this project - but
need to beef up the usual password/username scheme.
Are there are good whitepapers that describes such as
a web application scheme, including the registration
process, where the user would need to provide a
passphrase, to be used as a shared secret in the
authentication process. To compliment this a secure
password recovery process is also needed. Something
along the lines of what many internet banks do these
days with username and password then reirection to a
new page with 3 random characters from your
passphrase, plus a secure "forgot your password"
process to go with it.
Any pointers to resources which details such a scheme
with some nice process flows would be highly
appreciated...
What I have found so far on the net described some of
the above in a fragmented and incomplete manner. I
have yet to find a comprehensive guide/whitepaper that
does a good job of covering all aspects including
mapping out the required processes...
- SW
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
