Click here to Skip to main content
Click here to Skip to main content

Ten security tips for your web login forms

, 6 Sep 2005
Rate this:
Please Sign up or sign in to vote.
Tips to avoid hacking of your pages

Introduction

These are tips about software security for your login forms when you build your web sites.

Ten Security Tips for WebLogin

  1. Never give hints to potential attackers

    If the user id is wrong, or the password is wrong, give the same message in both cases. Being too user friendly giving feedback could be a mistake in this case.

    For example, a typical mistake is to put a comment like this: "Your user id is wrong." or "The password given does not belong to the user id."

    You must use a more obscure message like this: "The user id or the password are wrong."

  2. Don't store the user password on plain text on your database

    No matter how many security measures you take, there is no perfect security system. Use a hash method for storing passwords, like SHA256, or other. Try to use a strong hash function.

    You can encrypt the passwords too, but this raises the issue of handling keys.

  3. Require long passwords, 8 characters or more

    The passwords must contains a mix between numbers, letters (upper and lower case), and other symbols. Build a regular expression validator to enforce this requirements.

  4. Force your users to change passwords periodically

  5. Block login after 3 or more attempts

    Chances are that you are under the attack of a password guessing bot. Block the IP for a while, 1 hour or more, depending on your security. In the extreme, block the account, and notify the owner with an email.

    On IIS, you can use the IISIpSecurity Interface of the IIS ADSI Provider Interfaces. Read about this on MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/42f71810-275a-4410-b2b6-e8ad57c8fb8f.asp

  6. Check your practices to password recovering

    Always return to the user a new password, and force him to change the password after recovering. Don't use questions for remember passwords, people normally put the password as answer. Also some questions are easy to guess. Identity theft in this case is more easy.

  7. Don't use the email address for user identification

    A user email is a very public attribute, easy to obtain or guess. Give the user different identifiers. Allow the user to change the identifier.

  8. Don't give the user the opportunity to restore passwords using a phone call, or a live chat session, via helpdesk

    People can be fooled more easily than machines, using social engineering.

  9. Avoid tests, or CAPTCHAs

    They are in detriment of the usability, and give a false sense of security. Two-Factor authentication (Token or Key generators are useless too).

    However Turing tests are useful for non critical process, like avoiding spam if you consider usability issues. Some smarts Turing test are being developed, so this point would change in the near future.

  10. Combine your passwords with biometrics

    This gives you stronger security.

    Read these articles:
    Why you must avoid CAPTCHAS: http://www.w3.org/TR/turingtest/
    Two Factor Authentication: http://www.schneier.com/essay-083.html

History

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

ediazc
Web Developer
Chile Chile
Eduardo Diaz
personal blog

Comments and Discussions

 
GeneralUse intellilogin to protect your web login forms. PinmemberHoochie15-Oct-06 20:28 
GeneralSQL Injection PinmemberJJF0076-Sep-05 21:59 
GeneralRe: SQL Injection Pinmemberediazc7-Sep-05 4:05 
Questionauthorization???? PinmemberTaha Zayed6-Sep-05 21:18 
General5-how to block ip PinmemberTaha Zayed6-Sep-05 8:53 
GeneralRe: 5-how to block ip Pinmemberenjoycrack6-Sep-05 15:52 
GeneralRe: 5-how to block ip Pinmemberediazc6-Sep-05 17:19 
GeneralRe: 5-how to block ip Pinmemberenjoycrack6-Sep-05 18:01 
GeneralRe: 5-how to block ip PinmemberTaha Zayed6-Sep-05 20:53 
GeneralRe: 5-how to block ip Pinmemberenjoycrack6-Sep-05 21:05 
GeneralRe: 5-how to block ip PinmemberTaha Zayed6-Sep-05 21:12 
GeneralRe: 5-how to block ip Pinmemberediazc7-Sep-05 4:12 
GeneralA clarification about biometrics Pinmemberediazc11-Aug-05 8:32 
GeneralSome Comments... PinmemberHumanOsc11-Aug-05 4:54 
GeneralRe: Some Comments... Pinmemberediazc11-Aug-05 5:38 
General10.- Combine your passwords with biometrics, this gives you more strong security. PinmemberAlexander M.11-Aug-05 1:05 
GeneralRe: 10.- Combine your passwords with biometrics, this gives you more strong security. PinmemberChris Meech11-Aug-05 2:13 
GeneralRe: 10.- Combine your passwords with biometrics, this gives you more strong security. Pinmemberediazc11-Aug-05 4:18 
GeneralRe: 10.- Combine your passwords with biometrics, this gives you more strong security. Pinmemberedodiaz11-Aug-05 3:59 
GeneralRe: 10.- Combine your passwords with biometrics, this gives you more strong security. Pinsussmwilliamson11-Aug-05 4:09 
GeneralRe: 10.- Combine your passwords with biometrics, this gives you more strong security. Pinmembergnjunge23-Aug-05 7:33 
GeneralLogin Form in VB.NET PinsussAnonymous10-Aug-05 16:38 
GeneralRe: Login Form in VB.NET PinmemberStephan Pilz10-Aug-05 20:43 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140826.1 | Last Updated 6 Sep 2005
Article Copyright 2005 by ediazc
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid