Security without using CAPTCHA

Now a days Automated and Dictionary attacks to login are very common security threat that every IT sector is quite aware of. There are many technique that can counter that problem.One of that is CAPTCHA(Completely Automatic Public Turing Test to Tell Computers and Humans Apart)- an image that contains characters and/or numbers that can be read only by human;its value then entered by the user. But it is a costly method as it is quite difficult to implement. We have to generate new images on the fly which is also very difficult. Furthur some soft ware are designed to figure out the value on the image using technologies like OCR scanning. Although CAPTCHA may not work all the times,it is difficult,expensive plus requires user to enter yet another value from an already difficult to read text. So, there must be something that is no expensive,much secure,easy to use and easy to implement.

Introduction

If we think from a hacker’s point of view, it will be nothing to break a system by Brute Force which can generate UserID and Password on the fly and can break into the system in no time. But what is common in this? The keys! Let me make it clear…... for example, if the login page contains two text boxes, one named "userid" and the other "password", all we have to do is submit values to these fields, something like http://address/loginpagename.aspx?userid=Anik&password=itsanik, and keep on changing the values "Anik" and " itsanik " until I find the right combination and we will get in. The keys that are common in this scenario are "userid" and "password". What if these keep changing every time you make a submit attempt? You would never know which key to provide the value to, hence cripple the key-value combination attack altogether!

The Code

The basic idea in accomplishing this is to assign a different name to the userid text box and password text box every time the page is loaded, either by first loading or a postback is triggered. To make sure that the keys (the names assigned to the userID textbox and password textbox) are unpredictable, I elected to use GUID. There are four parts to this technique

Part 1:

UserIDKey and PwdKey private properties. (I use ViewState to store the assigned key instead of Session so that if the user spawns another instance of login page, each page would have its own keys.)

private string UserIDKey
{
    get
    {
        if(ViewState["UserIDKey"] == null)
            ViewState["UserIDKey"] = Guid.NewGuid().ToString();
        return (string) ViewState["UserIDKey"];
    }
    set
    {
        ViewState["UserIDKey"] = value;
    }
}
private string PwdKey
{
    get
    {
        if(ViewState["PwdKey"] == null)
            ViewState["PwdKey"] = Guid.NewGuid().ToString();
        return (string) ViewState["PwdKey"];
    }
    set
    {
        ViewState["PwdKey"] = value;
    }
}

Part 2:

Assign new names to the text boxes when the page is first loaded.

private void Page_Load(object sender, System.EventArgs e)
{
    if(!IsPostBack)
    {
        MakeFieldNamesSecret();
    }
}
private void MakeFieldNamesSecret()
{
    txtPassword.ID = PwdKey;
    txtUserID.ID = UserIDKey;
}

Part 3:

Validation. When the Submit button is clicked, retrieve the values of the two text boxes to validate.

private void btnLogin_Click(object sender, System.EventArgs e)
{
    string userID = Request.Form[UserIDKey];
    string pwd    = Request.Form[PwdKey];
    //You must provide your own validation
    if(userID == "Anik" && pwd == "itsanik")
        Server.Transfer("PostLoginPage.aspx");
    else
        lblErr.Text = "Invalid UserID or Password";
}

Part 4:

Change the names of the text boxes on postback. This is what really prevents the key-value attack!

private void LoginPage_PreRender(object sender, System.EventArgs e)
{
    if(IsPostBack)
    {
        UserIDKey = null;
        PwdKey    = null;
        MakeFieldNamesSecret();
    }
}