security policy for many users

From: Kevin Brown (
Date: 08/13/03

Date: Wed, 13 Aug 2003 09:20:41 -0700

Why not get passwords set for the domain? Why write
password and user id management into your web applications
when it is already supplied by the OS?
I don't mean to avoid the question but it seems to me you
are going about this the wrong way.
As for the question.
You would have to put the ids and passwords in some form
of storage and the DB is a good idea. Store the passwords
with one of the available one-way hash algorithms. As for
sharing the code to manage a web service means you'll have
to decide how to secure the web service. Also consider
whether you will support things such as expiring accounts,
expiring passwords, password complexity, etc. Also if you
call the web service with a plain text password it could
be a vulnerability issue. I'd seriously consider getting
windows passwords in a domain if possible.

>-----Original Message-----
>I am developing for an Intranet with about 100 users
>(we do computer training).
>We're running about 12 different ASP.NET applications.
>4 of these applications require authentication.
>Windows authentication is not an option, as for Windows
>most of our users have a blank password (so it would
>be too easy for one user to impersonate another).
>For my secure applications all users will have their own
>password, and it should be the same password for the
>4 applications. They should have an option to change
>their own password.
>What will be the best policy to avoid duplicating code
>and information about users and passwords?
>My first thoughts were:
>- to use a database with user names and (encrypted)
> passwords
>- to share the database code and functionality (checking
> credentials, changing passwords) through a web service
>- to call the web service whenever a user is logging on.
>Is this a good path to follow?
>Or can it be done with one single web.config file?
>Any other suggestions?

Relevant Pages

  • Re: Move to Linux to Be performed by end of August
    ... I wish you the best - but an inability to manage Windows does not bode well ... again - make sure it is done properly, all current drivers installed, all ... current patches installed and all current versions of the applications you ... understand and utilize good passwords. ...
  • Re: Windows app using webservice sessions and cookies
    ... I have a custom set of usernames and passwords that I want to pass ... to the web service and have it validate the user before doing ... Should I use cookies? ...
  • Migrating ADSI Web Service
    ... I have created a web service that allows users to change their passwords ... online on Windows 2003 Server A. Now, this server will be repurposed very ... so I need to migrate the web services over to a new Windows 2003 ...
  • Re: getting rid of reset disc
    ... Assign all new passwords to all accounts and password protect your BIOS. ... Go through this list and secure your PC. ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
  • Re: Attack From Registry Cleaner
    ... MS-MVP Windows Shell/User ... >> why you should understand and utilize good passwords. ... >> Why you should use a computer firewall.. ... >> The system restore feature is a new one - first appearing in Windows ...