[Zigson]

Hi,

I've been wondering about login security for web applications.

I asume the safesets way should be:
- using username/password form
- username/password should not be stored in a file, should be in MySQL database
- be careful about sql injection, use mysql_real_escape_string
- (use md5, i need to look into this)

What about brute force attack?
Using of captcha?

What more can i do to be on the safe side?

[no2pencil]

Zigson, on 17 September 2010 - 12:06 AM, said:

What about brute force attack?

You can lock the username after so many attempts, same for ip address of viewer.

[Kruithne]

When it comes to login security, as well as the things you have listed, I normally either use a captcha or a simple security question such as "What is 2+2". A bot will read that as 22 or similar where as (hopefully) humans will know what 2+2 is.

To avoid brute force attacks I normally lock an account out for 60 minutes after 5 invalid logins within an 30 minutes or something along those lines.

[Zigson]

Thank you for replies.

How can I lock an account out?

[no2pencil]

You can archive this by creating a column in the database for enabled, live, or however you want to label it. Set it to zero by default, change it to 1 if banned. Then when you've validated the username/password credentials, check the database for enabled.

Hopefully this makes sense.

[Kruithne]

Working from what no2pencil said above, you just need to create an extra field in your users table, if it's set to 1 when they try to log in then it rejects them automatically, otherwise continues with the normal login code.

If you wanted to lock them out for a timer, rather than a 1/0 switch, set it so when they are not locked out, it's 0 or null or something. When they get locked out set it to the current date/time, then use that to work out if they can log in or not. This may sound more advanced that it actually is!

$username = mysql_real_escape_string(trim($_POST["username"]));
$password = trim($_POST["password"]);

$query = mysql_query("SELECT ID,Password, LoginAttempts, LastLoginAttempt FROM Users WHERE Username = '".$username."'");
while($user = mysql_fetch_array($query))
{
    $userAccount->ID = $user["ID"];
    $userAccount->Username = $username;
    $userAccount->Password = $user["Password"];
    $userAccount->LoginAttempts = $user["LoginAttempts"];
    $userAccount->LastLoginAttempt = $user["LastLoginAttempt"];
}

$errors = Array();
$attemptPeroid = 1800; // 30 minutes

if(date('YmdHi') > $userAccount->LastLoginAttempt + $attemptPeriod  || $userAccount->LoginAttempts !== 5)
{

    if($password !== $userAccount->Password)
    {
        $errors[] = "Invalid Password Entered";
    }

    if(!count($errors))
    {
        //no errors, log them in
        echo 'Woot, you haz been logged in.';
    }
    else
    {
        echo join('<br/>',$errors);
    }

    
    //update loginattempt info
    if($userAccount->LoginAttempts == 5)
    {
        $loginAttempts = 0;
    }
    else
    {
        $loginAttempts = $userAccount->LoginAttempts+1;
    }
    mysql_query("UPDATE Users SET LoginAttempts = ".$loginAttempts.", LastLoginAttempt = ".date('YmdHi')." WHERE ID = ".$userAccount->ID);
}
else
{
    $errors[] = "Your account has been locked for increased login attempts, please try again later";
}

Just a quick "sketch" of what I normally do. Just wrote that up now so it probably won't work 100%.

[alienDeveloper]

hey dont store the password directly in the db too.

always use md5 with a password salt for added security.

[Kruithne]

alienDeveloper, on 17 September 2010 - 06:47 AM, said:

hey dont store the password directly in the db too.

always use md5 with a password salt for added security.

If you're using MD5 and salting and working off the code I posted above don't forget to apply the hash to the inputted password before comparing it with the one in the DB.

[Atli]

alienDeveloper, on 17 September 2010 - 01:47 PM, said:

hey dont store the password directly in the db too.

always use md5 with a password salt for added security.

MD5 hash is a very weak hashing algorithm. Not really a good idea to use it anymore for security.

I would recommend something in the SHA-2 family, or even Whirlpool. (See the hash() function.)