It looks good, personally I think it's a bit too red, but that's just me ;)

The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.

It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.

Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.

Looks pretty nice the the whole dashboard concept looks really nicely laid out. Also when ime not busy i will try hack the login concept.

Nicasus wrote It looks good, personally I think it's a bit too red, but that's just me ;)

The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.

It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.

Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.

Thanks for all your advice i was planning on adding in a non-javascript version of the login abit later, and i already have salts/hashes for the passwords ;)

I think i may try and add some form of maximum queries per minute or something to try and prevent attacks like that, so maybe a maximum of say 30 ajax requests per 10 minutes or something (unless they actually log in)

iiLagZz_x wrote

Nicasus wrote It looks good, personally I think it's a bit too red, but that's just me ;)

The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.

It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.

Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.

Thanks for all your advice i was planning on adding in a non-javascript version of the login abit later, and i already have salts/hashes for the passwords ;)

I think i may try and add some form of maximum queries per minute or something to try and prevent attacks like that, so maybe a maximum of say 30 ajax requests per 10 minutes or something (unless they actually log in)

30 per 10 mins wouldn't be enough really unless your credentials are short and simple. For example:

username: jordanadams
password: c0mPLEX_ity

The above is 22 characters. Add to that typos, potentially longer usernames/passwords and you could easily make 30 requests. I would personally avoid the whole idea of trying to login on keydown/keyup and instead just put a button there. Other reasons to avoid the approach you've taken are performance and bandwidth restrictions on mobile devices and the fact that this would probably break any browser-based password memory.

i have tried hacking hacking the login concept its a bitch to crack nice work i have given up trying to do it

-Jordan- wrote

iiLagZz_x wrote

Nicasus wrote It looks good, personally I think it's a bit too red, but that's just me ;)

The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.

It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.

Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.

Thanks for all your advice i was planning on adding in a non-javascript version of the login abit later, and i already have salts/hashes for the passwords ;)

I think i may try and add some form of maximum queries per minute or something to try and prevent attacks like that, so maybe a maximum of say 30 ajax requests per 10 minutes or something (unless they actually log in)

30 per 10 mins wouldn't be enough really unless your credentials are short and simple. For example:

username: jordanadams
password: c0mPLEX_ity

The above is 22 characters. Add to that typos, potentially longer usernames/passwords and you could easily make 30 requests. I would personally avoid the whole idea of trying to login on keydown/keyup and instead just put a button there. Other reasons to avoid the approach you've taken are performance and bandwidth restrictions on mobile devices and the fact that this would probably break any browser-based password memory.

I recently changed it to not use keyup/keydown, instead it detects when you have stopped typing for half a second, then if you havent typed for half a second it submits it. To try and save the requests, there will also be a mobile-specific skin which will have virtually no javascript on it