| Author |
 Topic  |
|
|
CodeName
Junior Member
296 Posts |
 Posted - 07 December 2002 : 10:54:27
|
Can we use this method in Snitz Forums 3.4.3 with Sha256 ?
But Only for Admins.
At Admin_login page forum will ask 2 Diffrent Password.
First Password for Username and Second Password for Admin Level .
for Example : My Name is Codename and I m admin .
I m going to admin_login.asp and its asking First Level password and I write abc147^#blabla . After Password Checking its going to Second Level for Admin Level.
And I m writing my Admin Password for This Username
I m Writing 89da}_4145etc and Forum Is checking this password too for correct or wrong password .. And After I can login at my Admin_home.asp and I can have Admin level.
If First Password will be wrong , that who will try to login from my Username He / She cant login . Or Second Level Password..
Is It possible ?? Or something like this ?
If its possible it can be very good solution for Snitz forum Security.. |
Edited by - CodeName on 07 December 2002 10:56:16 |
|
|
CodeName
Junior Member
296 Posts |
Posted - 07 December 2002 : 12:42:09
|
| Nothing about this ??? |
 |
|
|
CodeName
Junior Member
296 Posts |
Posted - 08 December 2002 : 10:39:49
|
| Well I see that nobody care security on snitz ? ... |
Edited by - CodeName on 08 December 2002 10:42:10 |
|
|
|
David K
Junior Member
494 Posts |
Posted - 08 December 2002 : 17:59:48
|
| it can be done, but i don't see why it should be done, it won't help! |
|
|
|
PeeWee.Inc
Senior Member
United Kingdom
1893 Posts |
Posted - 08 December 2002 : 18:52:44
|
I was thinkin more along the lines of blocking any account that has had the password enterd wrong more then 3 times and a admin would have to unlock it  |
De Priofundus Calmo Ad Te Damine |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 08 December 2002 : 20:16:25
|
| Yes it could be done CodeName, and it may well add some additional security, espcially in the case where someone manages to obtain the database, or admins are using a shared PC in which case the cleartext cookies could be comprimised. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
CodeName
Junior Member
296 Posts |
Posted - 09 December 2002 : 09:46:50
|
Well its good to see Somebody responsed this important subject :-)
Thanks to who responsed this topic :-)
Now ,
PeeWee.INC its doesnt metter I think that your thing `cause Its can block only Brute Force method.. And If your enemy find any security hole code on your pages he can use that..
And I thinked that what I said at my first post in this topic can be work.. Because If he / she can learn my Password , Cant be Admin and he/she can make nothing..
For this I asked to forum :-)
------
Gremlin ,
Well can we add extra code to snitz forum for that my think ? |
Edited by - CodeName on 09 December 2002 09:49:39 |
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 09 December 2002 : 11:29:31
|
an alternative that has been discussed before is using encrypted login keys instead of password in the cookie, which is changed every time a user logs in. even though one can fake your cookie he still dosen't know your password to do important things and when you log in again his cookie becomes invalid.
there's even a mod that has been developed with this capability.
basically you add another field to the member table and using an encryption method to generate and encrypt a login key, store it in the table and cookie every time one logs in.
Then will you consider using SSL? I want to turn my site which is integrated with Snitz to a commercial one as well.
I also moved admin files to another folder and have it password protected, and I've written some functions to log suspicious activity such as odd querystring, ' in some input field, etc. |
|
|
| |
Topic |
|
Topic Locked
