Ten security tips for your web login forms

Introduction

These are tips about software security for your login forms when you build your web sites.

Ten Security Tips for WebLogin

1. Never give hints to potential attackers

   If the user id is wrong, or the password is wrong, give the same message in both cases. Being too user friendly giving feedback could be a mistake in this case.

   For example, a typical mistake is to put a comment like this: "Your user id is wrong." or "The password given does not belong to the user id."

   You must use a more obscure message like this: "The user id or the password are wrong."

2. Don't store the user password on plain text on your database

   No matter how many security measures you take, there is no perfect security system. Use a hash method for storing passwords, like SHA256, or other. Try to use a strong hash function.

   You can encrypt the passwords too, but this raises the issue of handling keys.

3. Require long passwords, 8 characters or more

   The passwords must contains a mix between numbers, letters (upper and lower case), and other symbols. Build a regular expression validator to enforce this requirements.

4. Force your users to change passwords periodically

5. Block login after 3 or more attempts

   Chances are that you are under the attack of a password guessing bot. Block the IP for a while, 1 hour or more, depending on your security. In the extreme, block the account, and notify the owner with an email.

   On IIS, you can use the IISIpSecurity Interface of the IIS ADSI Provider Interfaces. Read about this on MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/42f71810-275a-4410-b2b6-e8ad57c8fb8f.asp

6. Check your practices to password recovering

   Always return to the user a new password, and force him to change the password after recovering. Don't use questions for remember passwords, people normally put the password as answer. Also some questions are easy to guess. Identity theft in this case is more easy.

7. Don't use the email address for user identification

   A user email is a very public attribute, easy to obtain or guess. Give the user different identifiers. Allow the user to change the identifier.

8. Don't give the user the opportunity to restore passwords using a phone call, or a live chat session, via helpdesk

   People can be fooled more easily than machines, using social engineering.

9. Avoid tests, or CAPTCHAs

   They are in detriment of the usability, and give a false sense of security. Two-Factor authentication (Token or Key generators are useless too).

   However Turing tests are useful for non critical process, like avoiding spam if you consider usability issues. Some smarts Turing test are being developed, so this point would change in the near future.

10. Combine your passwords with biometrics

    This gives you stronger security.

    Read these articles:
    Why you must avoid CAPTCHAS: http://www.w3.org/TR/turingtest/
    Two Factor Authentication: http://www.schneier.com/essay-083.html

History

• These tips are maintained on http://www.darksideprogramming.com/archives/2005/08/ten_tips_for_yo.html
• Original article: http://www.darksideprogramming.com/archives/2005/08/never_give_a_ha.html.