Hi,
I've been wondering about login security for web applications.
I asume the safesets way should be:
- using username/password form
- username/password should not be stored in a file, should be in MySQL database
- be careful about sql injection, use mysql_real_escape_string
- (use md5, i need to look into this)
What about brute force attack?
Using of captcha?
What more can i do to be on the safe side?
Login securityIssue about security
Page 1 of 1
9 Replies - 3024 Views - Last Post: 20 September 2010 - 12:41 AM
Replies To: Login security
#2
Re: Login security
Posted 16 September 2010 - 11:12 PM
#3
Re: Login security
Posted 17 September 2010 - 02:24 AM
When it comes to login security, as well as the things you have listed, I normally either use a captcha or a simple security question such as "What is 2+2". A bot will read that as 22 or similar where as (hopefully) humans will know what 2+2 is.
To avoid brute force attacks I normally lock an account out for 60 minutes after 5 invalid logins within an 30 minutes or something along those lines.
To avoid brute force attacks I normally lock an account out for 60 minutes after 5 invalid logins within an 30 minutes or something along those lines.
#4
Re: Login security
Posted 17 September 2010 - 02:34 AM
Thank you for replies.
How can I lock an account out?
How can I lock an account out?
#5
Re: Login security
Posted 17 September 2010 - 02:36 AM
You can archive this by creating a column in the database for enabled, live, or however you want to label it. Set it to zero by default, change it to 1 if banned. Then when you've validated the username/password credentials, check the database for enabled.
Hopefully this makes sense.
Hopefully this makes sense.
#6
Re: Login security
Posted 17 September 2010 - 03:25 AM
Working from what no2pencil said above, you just need to create an extra field in your users table, if it's set to 1 when they try to log in then it rejects them automatically, otherwise continues with the normal login code.
If you wanted to lock them out for a timer, rather than a 1/0 switch, set it so when they are not locked out, it's 0 or null or something. When they get locked out set it to the current date/time, then use that to work out if they can log in or not. This may sound more advanced that it actually is!
Just a quick "sketch" of what I normally do. Just wrote that up now so it probably won't work 100%.
If you wanted to lock them out for a timer, rather than a 1/0 switch, set it so when they are not locked out, it's 0 or null or something. When they get locked out set it to the current date/time, then use that to work out if they can log in or not. This may sound more advanced that it actually is!

$username = mysql_real_escape_string(trim($_POST["username"])); $password = trim($_POST["password"]); $query = mysql_query("SELECT ID,Password, LoginAttempts, LastLoginAttempt FROM Users WHERE Username = '".$username."'"); while($user = mysql_fetch_array($query)) { $userAccount->ID = $user["ID"]; $userAccount->Username = $username; $userAccount->Password = $user["Password"]; $userAccount->LoginAttempts = $user["LoginAttempts"]; $userAccount->LastLoginAttempt = $user["LastLoginAttempt"]; } $errors = Array(); $attemptPeroid = 1800; // 30 minutes if(date('YmdHi') > $userAccount->LastLoginAttempt + $attemptPeriod || $userAccount->LoginAttempts !== 5) { if($password !== $userAccount->Password) { $errors[] = "Invalid Password Entered"; } if(!count($errors)) { //no errors, log them in echo 'Woot, you haz been logged in.'; } else { echo join('<br/>',$errors); } //update loginattempt info if($userAccount->LoginAttempts == 5) { $loginAttempts = 0; } else { $loginAttempts = $userAccount->LoginAttempts+1; } mysql_query("UPDATE Users SET LoginAttempts = ".$loginAttempts.", LastLoginAttempt = ".date('YmdHi')." WHERE ID = ".$userAccount->ID); } else { $errors[] = "Your account has been locked for increased login attempts, please try again later"; }
Just a quick "sketch" of what I normally do. Just wrote that up now so it probably won't work 100%.

#7
Re: Login security
Posted 17 September 2010 - 07:47 AM
hey dont store the password directly in the db too.
always use md5 with a password salt for added security.
always use md5 with a password salt for added security.
#8
Re: Login security
Posted 17 September 2010 - 08:14 AM
alienDeveloper, on 17 September 2010 - 06:47 AM, said:
hey dont store the password directly in the db too.
always use md5 with a password salt for added security.
always use md5 with a password salt for added security.
If you're using MD5 and salting and working off the code I posted above don't forget to apply the hash to the inputted password before comparing it with the one in the DB.

#9
Re: Login security
Posted 17 September 2010 - 02:07 PM
alienDeveloper, on 17 September 2010 - 01:47 PM, said:
hey dont store the password directly in the db too.
always use md5 with a password salt for added security.
always use md5 with a password salt for added security.
MD5 hash is a very weak hashing algorithm. Not really a good idea to use it anymore for security.
I would recommend something in the SHA-2 family, or even Whirlpool. (See the hash() function.)
#10 Guest_Zigson*
Re: Login security
Posted 20 September 2010 - 12:41 AM
Thank you guys for all extensive replies.
Page 1 of 1