Security Basics mailing list archives
RE: Secure Login Form
From: <benoni.martin () accenture com>
Date: Thu, 17 Jan 2008 13:14:12 +0100
Hi Blake! I developped an extranet/internet website for my former companys, and here is what I can advise you: - Never use javascript as it can easily be bypassed, - Always use https for sending login/password, - If possible, use a an X.509 issued bys a known company (verisign, Thwate, etc) as it, - If necessary, use a client certificate as well (you will probably need to pay them ...), - Never store a clear-text password in a DB as many companies do, but as someone else suggested, just store their hashes (SHA-1, SHA-256, ...) I set this up with ASP/MS SQL Server by the way ... "I was thinking of using a random number generator to assign the codes. I am assuming this will also mean that I need a secure way of checking the database for the code and returning the data? Should https be implemented here?" ... Hum, this should be performed on the server's side, and just send back the proposed code to the user (via https of course). Don't forget to handle the "Oh God, I forgot my password, what can I do ?", preventing from automatic brute-force attacks with spiders, registring who do what (depending on your country, you will have to inform authorities that you log client data !) and so on ... HTH ! Regards. PS: You can get in touch offline if you need more information. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jonathan Askew JBASKEW Sent: mercredi 16 janvier 2008 22:29 To: security-basics () securityfocus com Subject: Secure Login Form First of all, I have very limited experience with web development and programming. That being said, I have been tasked with creating a secure login form. What I need to accomplish is the following: 1.the user registers their user name and password, and then provides an access code to prove they have bought the product and should have access to the site. 2. The user then enters their username/password into the form in order to login. 3. Upon returning to the site, the username and password should be remembered and the user should not have to enter these again. I have been looking at various ways to create the login from (php, javascript, etc.) but I am concerned about the security provided. For example, the simple examples of javascript logins expose the password by looking at the page source. Since I am a new to web development, I do not feel confident enough to create my own form. Each user needs to have their own unique username/pass combo as well. Can anyone suggest some examples or point me to a resource to get me started? Also, this site has not been built yet and this is the first thing they want done. I need some ideas for generating the access code and then keeping track of which code has been assigned to which user. I was thinking of using a random number generator to assign the codes. I am assuming this will also mean that I need a secure way of checking the database for the code and returning the data? Should https be implemented here? Thanks in advance for any advice offered. Being new to these technologies, I thought I should run everything by those more seasoned. Blake This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Current thread:
- Secure Login Form Jonathan Askew JBASKEW (Jan 16)
- Re: Secure Login Form cory (Jan 16)
- Re: Secure Login Form Josh Haft (Jan 16)
- RE: Secure Login Form benoni.martin (Jan 17)
- Re: Secure Login Form Rodrigo Blanco (Jan 19)
- Re: Secure Login Form Joe Yong (Jan 21)
- <Possible follow-ups>
- Re: Secure Login Form krymson (Jan 17)
- Re: Secure Login Form MaddHatter (Jan 18)
- Re: Secure Login Form Bipin Upadhyay (Jan 19)