Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

User Validation factors

by Angel (Friar)
on Nov 17, 2002 at 21:57 UTC ( [id://213601]=perlquestion: print w/replies, xml ) Need Help??

Angel has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks,
As I learn more about the world of Perl and progamming I read many of your articles and look for an asnwer that currently does not seem to be answered or discussed previously.

I have been doing much reading about password and user validation. I am currenly working on writing an object for a vliunteer effort I am working on to allow users to enter the site I work with.
This is the current list of access problems that have come to my attention and I would like to know if I am missing any.
  • Protecting usernames, not making them available publically, not using obvious ones for adminstration scripts ( i.e. god )
  • Password should be upper and lowercase, numbers as well as letters.
  • reasonable minimum length ( 5-7 char )
  • maximum length something long like 30 chars
  • dictionary !match like UNIX systems have ( not sure where to get a good file of words )
  • username != password
  • username != stored first or last name or other data
  • Hash passwords one way using md5 so if database gets compromised they cannot get in later an wreak havoc
  • Check IP, if same IP logs in or attempts to log in more than ( 3? ) times in (3?) minutes block attempts for certain period of time. This should prevent some hammering and people from trying to open 400 accounts with LWP or some other software ( like Ms Office/VB and IE ) and cause my ISP to hate me.
  • check username logins so that someone is not rotating ip's and trying to open one account.
  • use %ENV{HTTP_REFFERER} or .htaccess to block simple access from sites !mySite ( keep people from putting a wrapper around my site easily )
  • log all logins to look for trends and problems
  • lost password script generates random Alphanumeric script. It was in a seekers of perl wisdom last week. And asks for more than just the answer to the hint ( as I found out last year people put in really easy hints ).

    What else should i look for to prevent someone from getting in that should not be. My backend is secure or so my ISP tells me ( and they are pretty good at this stuff ). And I read ovid's tutorial on tainting and checking all vars and NOT LETTING ANY USER DATA NEAR THE SHELL.

    Angel
  • Replies are listed 'Best First'.
    Re: User Validation factors
    by SpaceAce (Beadle) on Nov 18, 2002 at 04:29 UTC
      I can think of two other things you may want to look into: shadowed password files and keeping not only the actual password file out of site, but also the .htaccess or equivalent. Even if your password file is not visible from the web you don't want people finding your .htaccess file because the .htaccess file will tell them where the password file is and they may be able to use an exploit unrelated to your password script to get their hands on the password file.

      SpaceAce
      s>>sp>;s>..|>\u$&ace>g;print;

    Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Domain Nodelet?
    Node Status?
    node history
    Node Type: perlquestion [id://213601]
    Approved by grep
    help
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this?Last hourOther CB clients
    Other Users?
    Others chanting in the Monastery: (3)
    As of 2024-03-29 02:04 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found