These are tips about software security for your login forms when you build your web sites.
Ten Security Tips for WebLogin
Never give hints to potential attackers
If the user id is wrong, or the password is wrong, give the same message in both cases. Being too user friendly giving feedback could be a mistake in this case.
For example, a typical mistake is to put a comment like this: "Your user id is wrong." or "The password given does not belong to the user id."
You must use a more obscure message like this: "The user id or the password are wrong."
Don't store the user password on plain text on your database
No matter how many security measures you take, there is no perfect security system. Use a hash method for storing passwords, like SHA256, or other. Try to use a strong hash function.
You can encrypt the passwords too, but this raises the issue of handling keys.
Require long passwords, 8 characters or more
The passwords must contains a mix between numbers, letters (upper and lower case), and other symbols. Build a regular expression validator to enforce this requirements.
Force your users to change passwords periodically
Block login after 3 or more attempts
Chances are that you are under the attack of a password guessing bot. Block the IP for a while, 1 hour or more, depending on your security. In the extreme, block the account, and notify the owner with an email.
On IIS, you can use the IISIpSecurity Interface of the IIS ADSI Provider Interfaces. Read about this on MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/42f71810-275a-4410-b2b6-e8ad57c8fb8f.asp
Check your practices to password recovering
Always return to the user a new password, and force him to change the password after recovering. Don't use questions for remember passwords, people normally put the password as answer. Also some questions are easy to guess. Identity theft in this case is more easy.
Don't use the email address for user identification
A user email is a very public attribute, easy to obtain or guess. Give the user different identifiers. Allow the user to change the identifier.
Don't give the user the opportunity to restore passwords using a phone call, or a live chat session, via helpdesk
People can be fooled more easily than machines, using social engineering.
Avoid tests, or CAPTCHAs
They are in detriment of the usability, and give a false sense of security. Two-Factor authentication (Token or Key generators are useless too).
However Turing tests are useful for non critical process, like avoiding spam if you consider usability issues. Some smarts Turing test are being developed, so this point would change in the near future.
Combine your passwords with biometrics
This gives you stronger security.
Read these articles:
Why you must avoid CAPTCHAS: http://www.w3.org/TR/turingtest/
Two Factor Authentication: http://www.schneier.com/essay-083.html
This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.
A list of licenses authors might use can be found here