Powered by Blogger.

Saturday, March 1, 2014

Lock users who provide bad passwords in Asp.Net:

In this article, we will discuss how we can Locking Out Users Who Provide Bad Passwords. Also you can check out my previous posts on:

- Export gridview data to excel sheet in Asp.net

- Get database server name in sql server 2008

- Read and write from Text file in Asp.Net

When providing a user login form in any application you build, always guard against repeated bogus password attempts. If you have a malicious end user who knows a username, he may try to access the application by repeatedly trying different passwords. You want to guard against this kind of activity. You don’t want to allow this person to try hundreds of possible passwords with this username.

ASP.NET has built-in protection against this type of activity.

FailedPasswordAttemptCount and FailedPasswordAttemptWindowStart are the two columns provided by Asp.net to control this type of activity.

By default, a username can be used with an incorrect password in a login attempt only five times within a 10-minute window. On the fifth failed attempt, the account is locked down. You do this in ASP.NET by setting the IsLockedOut column to True.

You can actually control the number of password attempts that are allowed and the length of the attempt window for your application. These two items are defined in the SqlMembershipProvider declaration in the machine.config file. You can change the values either in the server-wide configuration files or in your application’s web.config file like below.

Changing the values for password attempts in the provider declaration
    <membership defaultProvider="AspNetSqlMembershipProvider">
        <clear />
        <add connectionStringName="ApplicationServices"
        type="System.Web.Security.SqlMembershipProvider, System.Web,Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
To determine the number of password attempts that are allowed, use  maxInvalidPasswordAttempts.

This example changes the value to 3, meaning that users are allowed to enter an incorrect password three times before being locked out (within the time window defined). The default value of the maxInvalidPasswordAttempts attribute is 5. You can set the time allowed for bad password attempts to 15 minutes using the passwordAttemptWindow attribute. The default value of this attribute is 10.

A sample page to test password attempts:
  protected void Button1_Click(object sender, EventArgs e)
        if (CheckBox1.Checked == true)
            MembershipUser user = Membership.GetUser(TextBox1.Text);
        if (Membership.ValidateUser(TextBox1.Text, TextBox2.Text))
            Label1.Text = "You are logged on!";
            MembershipUser user = Membership.GetUser(TextBox1.Text);
            Label1.Text = "Locked out value: " + user.IsLockedOut.ToString();
This page contains two text boxes: one for the username and another for the password. Above these, however, is a check box that you can use to unlock a user after you have locked down the account because of bad password attempts.

The IsLockedOut property is read through an instantiation of the MembershipUser object. The IsLockedOut property is retrieved and displayed to the screen.

UnlockUser() is invoked if the check box is selected in the button-click event.