Login security

Issue about security

Page 1 of 1

9 Replies - 1155 Views - Last Post: 20 September 2010 - 12:41 AM Rate Topic: -----

#1 Zigson  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 21-April 10

Login security

Posted 16 September 2010 - 11:06 PM

Hi,

I've been wondering about login security for web applications.

I asume the safesets way should be:
- using username/password form
- username/password should not be stored in a file, should be in MySQL database
- be careful about sql injection, use mysql_real_escape_string
- (use md5, i need to look into this)

What about brute force attack?
Using of captcha?

What more can i do to be on the safe side?

Is This A Good Question/Topic? 0
  • +

Replies To: Login security

#2 no2pencil  Icon User is online

  • Head MFIC
  • member icon

Reputation: 5068
  • View blog
  • Posts: 26,450
  • Joined: 10-May 07

Re: Login security

Posted 16 September 2010 - 11:12 PM

View PostZigson, on 17 September 2010 - 12:06 AM, said:

What about brute force attack?

You can lock the username after so many attempts, same for ip address of viewer.
Was This Post Helpful? 0
  • +
  • -

#3 Kruithne  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 99
  • View blog
  • Posts: 439
  • Joined: 28-July 09

Re: Login security

Posted 17 September 2010 - 02:24 AM

When it comes to login security, as well as the things you have listed, I normally either use a captcha or a simple security question such as "What is 2+2". A bot will read that as 22 or similar where as (hopefully) humans will know what 2+2 is.

To avoid brute force attacks I normally lock an account out for 60 minutes after 5 invalid logins within an 30 minutes or something along those lines.
Was This Post Helpful? 0
  • +
  • -

#4 Zigson  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 21-April 10

Re: Login security

Posted 17 September 2010 - 02:34 AM

Thank you for replies.

How can I lock an account out?
Was This Post Helpful? 0
  • +
  • -

#5 no2pencil  Icon User is online

  • Head MFIC
  • member icon

Reputation: 5068
  • View blog
  • Posts: 26,450
  • Joined: 10-May 07

Re: Login security

Posted 17 September 2010 - 02:36 AM

You can archive this by creating a column in the database for enabled, live, or however you want to label it. Set it to zero by default, change it to 1 if banned. Then when you've validated the username/password credentials, check the database for enabled.

Hopefully this makes sense.
Was This Post Helpful? 0
  • +
  • -

#6 Kruithne  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 99
  • View blog
  • Posts: 439
  • Joined: 28-July 09

Re: Login security

Posted 17 September 2010 - 03:25 AM

Working from what no2pencil said above, you just need to create an extra field in your users table, if it's set to 1 when they try to log in then it rejects them automatically, otherwise continues with the normal login code.

If you wanted to lock them out for a timer, rather than a 1/0 switch, set it so when they are not locked out, it's 0 or null or something. When they get locked out set it to the current date/time, then use that to work out if they can log in or not. This may sound more advanced that it actually is! :)


$username = mysql_real_escape_string(trim($_POST["username"]));
$password = trim($_POST["password"]);

$query = mysql_query("SELECT ID,Password, LoginAttempts, LastLoginAttempt FROM Users WHERE Username = '".$username."'");
while($user = mysql_fetch_array($query))
{
    $userAccount->ID = $user["ID"];
    $userAccount->Username = $username;
    $userAccount->Password = $user["Password"];
    $userAccount->LoginAttempts = $user["LoginAttempts"];
    $userAccount->LastLoginAttempt = $user["LastLoginAttempt"];
}

$errors = Array();
$attemptPeroid = 1800; // 30 minutes

if(date('YmdHi') > $userAccount->LastLoginAttempt + $attemptPeriod  || $userAccount->LoginAttempts !== 5)
{

    if($password !== $userAccount->Password)
    {
        $errors[] = "Invalid Password Entered";
    }

    if(!count($errors))
    {
        //no errors, log them in
        echo 'Woot, you haz been logged in.';
    }
    else
    {
        echo join('<br/>',$errors);
    }

    
    //update loginattempt info
    if($userAccount->LoginAttempts == 5)
    {
        $loginAttempts = 0;
    }
    else
    {
        $loginAttempts = $userAccount->LoginAttempts+1;
    }
    mysql_query("UPDATE Users SET LoginAttempts = ".$loginAttempts.", LastLoginAttempt = ".date('YmdHi')." WHERE ID = ".$userAccount->ID);
}
else
{
    $errors[] = "Your account has been locked for increased login attempts, please try again later";
}




Just a quick "sketch" of what I normally do. Just wrote that up now so it probably won't work 100%. :)
Was This Post Helpful? 0
  • +
  • -

#7 alienDeveloper  Icon User is offline

  • New D.I.C Head

Reputation: 3
  • View blog
  • Posts: 27
  • Joined: 11-November 08

Re: Login security

Posted 17 September 2010 - 07:47 AM

hey dont store the password directly in the db too.

always use md5 with a password salt for added security.
Was This Post Helpful? 0
  • +
  • -

#8 Kruithne  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 99
  • View blog
  • Posts: 439
  • Joined: 28-July 09

Re: Login security

Posted 17 September 2010 - 08:14 AM

View PostalienDeveloper, on 17 September 2010 - 06:47 AM, said:

hey dont store the password directly in the db too.

always use md5 with a password salt for added security.


If you're using MD5 and salting and working off the code I posted above don't forget to apply the hash to the inputted password before comparing it with the one in the DB. :)
Was This Post Helpful? 0
  • +
  • -

#9 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3636
  • View blog
  • Posts: 5,759
  • Joined: 08-June 10

Re: Login security

Posted 17 September 2010 - 02:07 PM

View PostalienDeveloper, on 17 September 2010 - 01:47 PM, said:

hey dont store the password directly in the db too.

always use md5 with a password salt for added security.

MD5 hash is a very weak hashing algorithm. Not really a good idea to use it anymore for security.

I would recommend something in the SHA-2 family, or even Whirlpool. (See the hash() function.)
Was This Post Helpful? 0
  • +
  • -

#10 Guest_Zigson*


Reputation:

Re: Login security

Posted 20 September 2010 - 12:41 AM

Thank you guys for all extensive replies.
Was This Post Helpful? 0

Page 1 of 1