email article printer friendly get the code more resources

Prevent Dictionary Attacks
Implement seven application-level techniques to safeguard your password-protected ASP.NET apps.
by James McCaffrey

Posted September 30, 2003

Technology Toolbox: C#, ASP.NET

All password-protected Web applications are potentially vulnerable to dictionary attacks—when automated programs attempt to gain access to an application by using a file of possible passwords. However, you're not without defenses against this type of attack. I'll show you how password protection and dictionary attacks work so you can understand how to protect your apps. You'll examine an ASP.NET application that uses the .NET Framework FormsAuthentication class to provide password protection. Then, an example dictionary attack written in C# will help you grasp the principles and mechanics of a dictionary attack. Finally, I'll describe seven practical steps you can and should take to safeguard your ASP.NET applications.

Start by taking a look at a simplified password-protected application—an ASP.NET app that uses the new .NET forms authentication model to provide password protection (see Figures 1 and 2). It's obvious that trying to break into this system manually would be extremely tedious and time-consuming. However, a dictionary-attack program that attempts relentlessly to guess a correct username-password pair is a serious threat (see the sidebar, "Brute Force Attacks are Less of a Threat").

This miniature system involves three files: login.aspx, default.aspx, and web.config. The login.aspx file provides the user interface for password protection and is the page unauthenticated users are redirected to if they enter an incorrect password (see Listing 1). The default.aspx file is the protected application; only authorized and authenticated users can view it. The web.config file has username-password credential data for authentication, and authorization data that specifies which pages authenticated users can view.

The UI portion of login.aspx doesn't contain anything unusual. Server-side TextBox controls TextBox1 and TextBox2 hold the user ID and password, respectively. A Label control displays a message when a failed login occurs.