1

I'm making a simple news feed where i enter a new item from a form hidden on a url that i manually need to type in (no account functionality). But i wanted a additional line of defense if the form is found so i added a password field so if the password match the preset i have then the form saves the data in to a xml file.

Now the question is, whats the best practice here to make that validation and where do i put the password?

At the moment my code looks like this:

[HttpPost]
[ValidateAntiForgeryToken()]
public ActionResult AddPost(AddPostModel model)
{
    if (ModelState.IsValid && model.Password == "MyPassword")
    {
        AddPostModel.AddPostToXML(model);
    }
    return RedirectToAction("Index");
}

The thing is that its a small site and at worst they add news item that should not be there. So do i need to take additional precautions or is it secure enough for what its supposed to protect?

Since i'm quite new i don't have a lot of experience in security so any guidelines or what to keep in mind would also be much appreciated.

Thanks!

Improve this question

2 Answers 2

Reset to default
1

After some discussion i settled on having a hashed password in the web.config that i then check against to see if the password is the right one. Then during the check i just hash the entered password with the same function and check if its a match.

Here is the class i built if any one else is looking for something similar. =)

public class Security
{
    public static bool ValidatePassword(string password)
    {
        string hashValue = HashPassword(password);

        if (hashValue == ConfigurationManager.AppSettings["password"])
        {
            return true;
        }

        return false;

    }

    private static string HashPassword(string passwordToHash)
    {
        HashAlgorithm hash = new SHA256Managed();
        byte[] plainTextBytes = System.Text.Encoding.UTF8.GetBytes(passwordToHash);
        byte[] hashBytes = hash.ComputeHash(plainTextBytes);

        //in this string you got the encrypted password
        return Convert.ToBase64String(hashBytes);
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I found useful link that might help you to have an idea about customising the security level http://www.c-sharpcorner.com/uploadfile/jitendra1987/password-validator-in-C-Sharp/ Have you looked at the Ajax toolkits!? They have good mechanisms to setup your first line of security defence i.e. length of password, adding complexity and other features. Please have a look at: http://www.ajaxcontroltoolkit.com/PasswordStrength/PasswordStrength.aspx

Improve this answer

1 Comment

The issue was not that i needed validation of a new password but validation if the entered password was the same as a predefined one that i set for when i enter news items to the site.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.