CET324 – Advanced Cyber Security Assignment 2

Submitted to:
School of Computer Science
University of Sunderland

Submitted by:
Student name: Saroj Neupane
Registration no: 239756985
Degree: BSc (Hons) Computer System Engineering

1|Page
Table of Contents
Introduction......................................................................................................................................3

Design of the Prototype System......................................................................................................3

1. User Interface for Account Creation....................................................................................3

2. Password Strength Algorithm..............................................................................................3

3. Captcha Integration..............................................................................................................3

4. Password Policies and Security Measures...........................................................................4

5. Evaluation of Robustness and Performance........................................................................4

Conclusion.......................................................................................................................................5

References......................................................................................................................................24

2|Page
Abstract

This report presents the design and development of a secure online user registration system
implemented using .NET Core 8. The system integrates key cybersecurity measures, including
password strength evaluation, CAPTCHA validation, two-factor authentication (2FA), and email-
based authentication. It also includes features such as password hashing, encryption, password
reuse prevention, and account lockout mechanisms to enhance security. The effectiveness of the
system is evaluated for robustness, performance, and resistance to common attacks, ensuring
both high security and usability for user registration.

Keywords: Cybersecurity, User Registration, Password Strength, CAPTCHA, Two-Factor

Authentication

3|Page
Introduction

This report describes the development of a secure online registration system built using .NET
Core 8. The system integrates vital cybersecurity measures to protect user data and accounts.
Notable features include an easy-to-use registration and login interface, CAPTCHA verification,
password strength analysis, encryption, two-factor authentication (2FA), and restrictions on
reusing passwords.

Design of the Prototype System

1. User Interface for Account Creation: The account creation interface was developed
utilizing the Model-View-Controller (MVC) architecture in .NET Core 8, ensuring a
distinct separation between business logic and user interface. Bootstrap was utilized for
responsive design. The registration form utilizes client-side validation using JavaScript to
safeguard against SQL injection and cross-site scripting (XSS) threats. Moreover, server-
side validation via ASP.NET Core Identity provides enhanced security. Passwords are
securely administered, never retained in plaintext, and the system enforces stringent
password standards, including the prohibition of password reuse and the modification of
the password process. Anderson, 2024.
2. Password Strength Algorithm: A bespoke algorithm assesses password strength by
analyzing its length, the integration of uppercase and lowercase letters, numerals, special
characters, and the exclusion of prevalent patterns. It offers instantaneous feedback to
users, enabling them to enhance their passwords. This method adheres to optimal
protocols to enhance password security and protect against brute force assaults (NIST,
2024).
3. Captcha Integration: Captcha Integration: Google reCAPTCHA v2 was implemented to
prevent automated bot-driven registration attempts. Although CAPTCHA may
occasionally be inconvenient and fail to completely differentiate between human and bot
users, reCAPTCHA v2 efficiently obstructs automated registrations and is especially
beneficial in reducing credential stuffing assaults (Google Cloud, n.d.).

4|Page
 4. Password Security Policies and Protection Techniques: Various security measures
were implemented to ensure that passwords are well protected (Woo & Mirkovic, 1970):
 Password Hashing and Encryption: Passwords are encrypted using the PBKDF2
algorithm with a strong salt, ensuring that even if a database is compromised, the
passwords remain secure.
 Prevention of Password Reuse: To safeguard accounts from unauthorized access,
the system tracks password history and prevents users from reusing previous
passwords.
 Enforced Password Complexity: To defend against common attack methods,
passwords must meet certain criteria such as including a combination of letters,
numbers, and special characters. Additionally, commonly used weak passwords (e.g.,
"123456" or “Password123”) are prohibited.
 Two-Factor Authentication (2FA): The addition of 2FA using an authenticator app
enhances security, even if the password is compromised, by requiring another form of
verification to access the account.
 Email Verification: A verification email is sent during registration or when resetting
passwords, ensuring that only authorized users can gain access to the system.
 Account Lockout Mechanism: After three failed login attempts, the account is
temporarily locked for two minutes, preventing brute-force attacks and protecting
user data.
5. Evaluation of System Security and Performance: The system was evaluated for both
security and performance to verify its efficiency:
 Brute-Force Attack Prevention: After three unsuccessful login attempts, the account
is locked, making it difficult for automated brute-force attempts to succeed. Google
reCAPTCHA v2 also blocks bot-driven login attempts.
 Password Strength Enforcement: The custom-built password strength algorithm
enforces strong passwords by providing real-time feedback, ensuring that they are
secure against brute-force and dictionary attacks.
 Protection Against SQL Injection and XSS Attacks: Parameterized queries are
used to prevent SQL injection, while input validation and output encoding ensure
protection from cross-site scripting (XSS) attacks.

5|Page
  Scalability: The system's performance is supported by Google reCAPTCHA and
SendGrid cloud services, ensuring that it remains efficient even with increasing
traffic.

These measures make sure the system is both secure and capable of handling typical threats,
while also being high-performing.

Conclusion

The prototype system presents a secure and intuitive method for user account registration,
incorporating essential cybersecurity measures like password strength evaluation, CAPTCHA
verification, two-factor authentication (2FA), and email-based verification. Utilizing .NET Core
8 and contemporary security standards, the system offers strong protection without
compromising user experience. The design decisions were influenced by reputable research and
best practices, ensuring the system is resistant to frequent threats and scalable. Key features such
as the custom password strength algorithm, CAPTCHA integration, and encryption are crucial
components that collectively establish a secure authentication framework.

6|Page
Screenshots of the System

1. Login Page

7|Page
 2. Captcha Validation Before Login Requirement

3. Re-captcha Service

8|Page
 4. Login Page User Interface Code

9|Page
 5. Input Field Validations

6. Confirm Password Match Check

10 | P a g e
 7. Password Requirement and Strength Meter

8. Client-side Custom Password Strength Calculator

11 | P a g e
 9. Using Identity and adding Password Requirement in Backend (Program.cs)

12 | P a g e
 10. Account Controller (Login Action)

13 | P a g e
 11. Register Page

12. Account Controller (Register Action)

14 | P a g e
15 | P a g e
 13. Forgot Password Page

14. Email Sent Message

16 | P a g e
 15. Reset Password Email Sent

17 | P a g e
 16. Email Sender Service

18 | P a g e
 17. 2FA Authentication Page

19 | P a g e
 18. Home Page after Successful Login

19. Home Page User Interface Code

20 | P a g e
 20. Logout Action

21. Profile Page

21 | P a g e
 22. Change Password Page

23. Change Password Action

22 | P a g e
 24. Enable Two Factor Authentication

23 | P a g e
 25. Verify Authenticator App

24 | P a g e
References

Anderson, R. (2024) Introduction to identity on asp.net core, Microsoft Learn. Available at:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-
8.0 (Accessed: 09 October 2024).

Google (n.d.) ReCAPTCHA | Google for Developers. Available at:

https://developers.google.com/recaptcha/ (Accessed: 09 October 2024).

NIST, G.M. (2024) NIST Cybersecurity Framework 2.0: [Preprint].

doi:10.6028/nist.sp.1312.ipd.

Woo, S.S. and Mirkovic, J. (1970) GuidedPass: Helping users to create strong and memorable
passwords, SpringerLink. Available at: https://link.springer.com/chapter/10.1007/978-3-030-
00470-5_12 (Accessed: 11 October 2024).

25 | P a g e