How do I make my login system secure?

Question

0.00/5 (No votes)

See more:

I have created a simple login system that connects to a MySQL database.

The login is basically asking for a username and password which are stored in the database. There is no option for a user to register/sign up.

What are the best practices to make my login secure?

What security measures would you recommend?

What I have tried:

I have looked into password_hash and password_verify but i think this would only be suitable when someone is signing up or creating a new username and password.. correct me if i am wrong as i am new to this.

I am using sessions in my code but this is not enough security.

Posted 23-Mar-18 3:12am

Member 13742971

Updated 23-Mar-18 3:38am

Add a Solution

Comments

Richard Deeming 23-Mar-18 12:47pm

Some light reading for the weekend! :)

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2018-03-23T03:39:00

Never store passwords. That is a serious security risk.
Always hash them: Password Storage: How to do it.[^] - the code is in C# but it's exactly teh same principle in any language.
Hash the password - with a salt, such as the userID so two users with the string "password" don't get the same hash - and store the hash. When the user tries to login, hash what he enters (using the same salt) and compare the hashes. If they match, let him in.

But first check that everything in your code is SQL Injection safe - all DB access should use parameterised queries not string concatenation - or securing the passwords becomes irrelevant!