Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Capture feature?
Message
De
20/10/2010 08:03:06
Dmitry Litvak
Massachusetts, États-Unis
 
 
À
19/10/2010 16:01:29
Viv Phillips
Hay-On-Wye, Royaume Uni
Information générale
Forum:
ASP.NET
Catégorie:
Autre
Titre:
Re: Capture feature?
Versions des environnements
Environment:
C# 2.0
Divers
Thread ID:
01486121
Message ID:
01486289
Vues:
28
>>>>Hi,
>>>>
>>>>A customer mentioned to me that they would like to improve security of my ASP.NET application by adding the "capture" feature (this is what it sounded to me like on the phone). Has anybody done this feature? What is involved?
>>>>
>>>>TIA
>>>
>>>I would recommend the Telerik Captcha control (not free) or this one: http://www.codinghorror.com/blog/2004/11/captcha-control-coda.html (free).
>>
>>Thank you. But the more I think about this issue the more I am finding (in my memory) that I never see this type of entry validation on authenticated sites. That is, whenever I have to enter my user name and password I am not prompted to enter the "key" value. Only where the posting is anonymous (like making a comment to a blog or something like that) you have to enter the Captcha characters.
>
>You're right. If someone is trying to access the site 'illegally' there are two possible scenarios:
>
>(a) they don't know the user name *or* the password. If you give them no indication of which one is wrong they can bang away at that for a loooooong time.
>
>(b) They have somehow got the user name (or even possibly the password) and keep trying this with variations of the other. So if you see, for example, the same user name a few times in succession with different passwords you may assume that someone *may* be attempting an 'illegal' authentication. At this point whether the attack is automated or not is, to a large extent, irrelevant - you can block further attempts (either for a defined period or indefinitely) and fall back to, for example, the 'Email forgotten password' routine.
>
>If you are curious you can often determine the likelihood of the attack being automated by the frequency of the attempts. But often these guys aren't in a hurry - so. for example, half a dozen attempts over a two hour period is more suspicous that the same number of attempts in two minutes (but less suspicous than six attempts in three seconds) (g)
>
>Rambled a bit - but, bottom line, CAPTCHA serves no useful purpose if a link requires authentication........

Thank you for your input, Viv. It is very helpful.
"The creative process is nothing but a series of crises." Isaac Bashevis Singer
"My experience is that as soon as people are old enough to know better, they don't know anything at all." Oscar Wilde
"If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money that it values more, it will lose that too." W.Somerset Maugham
Précédent
Répondre
Fil
Voir

Click here to load this message in the networking platform