How do I secure my login page?

The login page is the starting point to any web site and the most important thing to authenticate the user. When I begin to build any web application, I take a lot of time to think about how to design a login page with flexible interface and so secure. Is there any common advice, tips, or a "must do" list to take into consideration when I begin building the login page? I want general advice, because my DBMS may be Informix or MySQL or SQL Server.
Answer:

Here's a few more: whenever you can, avoid reinventing the wheel - if you can, reuse and improve your system from project to project, peer reveiwing each time. keep the password obscured - don't show text on the page, transmit over HTTPS, don't log in the clear on the back end, store safely in database. Basically wherever the password goes, privacy should be maintained do log errors; don't show too much info to users. Specially the "bad password" vs. "bad username" - don't tell the attacker that they have found a valid username, tell them "invalid credentials" or "bad username/password" without specifics. But do, on the back end, log the problems - is this a repeat of a username? what are the characteristics of the current failure? In a high end system, you'd have something watching and alerting admins if the behavior showed attack-like qualities. Clearly show the thing the user is logging into on the page, and provide a link or on page display of terms of use. Do have this vetted with the lawyer/customer. consider a password locking system and what fits for the users. For optimal reuse have configuration settings for # bad logins before lockout and # of minutes of lockout before re-enablement (with a setting for "manual reset only") carefully consider any feature for password reset, these are hard to craft securely. consider your users and anything they may need for authenticating your server - many aren't SSL/certificate savvy, so what can you do to minimize a user giving their password for your site to a hacker?

just_name at Information Security Visit the source

Was this solution helpful to you?

Other answers

Modern day version: Use HTTPS for your entire site, including the marketing pages. Add the https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security. If your target audience is computer savvy enough, then avoid the traditional username & password login completely. Offload that to a good federated login system, such as multi-provider https://secure.wikimedia.org/wikipedia/en/wiki/OpenID, or https://developers.facebook.com/docs/guides/web/#login or https://code.google.com/apis/accounts/docs/GettingStarted.html. For the functionality on your site that has higher security needs (the important stuff) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet.

Jesper Mortensen

Use SSL Hash and salt your passwords, preferably using a library instead of rolling your own. Pass data to the SQL server using binding instead of trying to escape strings. Don't output anything that's input -- prevent XSS entirely. Phishing is another matter entirely.

Jeff Ferland

Skip building your own login page entirely... If you have the option use Claims Based Authentication and identity federation instead: http://claimsid.codeplex.com/ (that link is particular to .NET, but it has a good primer on CBA).

SteveS

to expand on Jeff's 4th point - Validate all input and encode all output - this will prevent the majority of the common attacks currently found on the Internet. also, Patch your O/S and your applications. When security patches come out for your database, patch them!

Rory Alsop

This page contains a lot of information regarding how to securely use TLS for your website. While there are other concerns for your authentication system (such as password storage, session management etc) this will still provide a lot of good information. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Michael Coates

Related Q & A:

How can I force the login to a specific ip address?Best solution by Stack Overflow
How do I hide "last login" on mysapce?Best solution by Yahoo! Answers
How do I secure my SaaS startup?Best solution by Information Security
How do I change the Yahoo! page I have now back to the old one?Best solution by Yahoo! Answers
How do I secure my wireless internet?Best solution by Yahoo! Answers

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.