6

I usually ask user for his username and password and run a query over database to return true or false, do you think it's secure enough? do you think it's better to add some steps to procedure?

Ali Ahmad
  • 4,814
  • 8
  • 35
  • 61
ePezhman
  • 161
  • 1
  • 1
  • 5
  • Are you hashing the passwords using a strong KDF such as bcrypt or PBKDF2? Single-round solutions using salted SHA1 or MD5 are considered very weak these days. – Polynomial Apr 10 '13 at 07:25
  • Yes, I do hash the password with MD5. – ePezhman Apr 11 '13 at 05:31
  • A single cryptographic hash is incredibly weak. You should switch to a strong KDF such as bcrypt. See [this question](http://security.stackexchange.com/questions/17421/how-to-store-salt/) for details on how/why. – Polynomial Apr 11 '13 at 09:55

7 Answers7

5

"Security" encompasses the whole system, including your server, your database, the transport mechanism between client and server, the client's browser... and the human user. Usually, this last item will be the bottleneck of security. You can (and should) do a lot of things to process the password correctly (use HTTPS for transfer, store only a properly hashed version of the password,...) but, ultimately, your security won't be greater than the care with which the user will choose and keep private his password.

You can help the user with education and providing password generation tools, taking care to flatter the user into cooperation, rather than constraining him into submission (angry users are never a good thing for security). Yet standard passwords will only get you that far (by "standard" I mean "passwords which human users remember in their mind").

Heavier methods with at least potential for stronger security include:

  • one-time passwords, either printed on a paper or generated on-the-fly by a hardware device such as this one;
  • SSL client certificates, stored in the entrails of the user's machine, or, for better resilience, in a smart card;
  • biometric systems, which make sense, security-wise, as long as the physical characteristic which is thus measured is reasonably secret (e.g. a retina scan, as opposed to face recognition, because your face is not secret at all, you show it to everybody every time you go in the street) or there is a contextual feature (an armed guard) which ensures that you are putting your own real biological finger on the fingerprint reader;
  • combinations of several of the above.

Security practitioners often talk of multi-factor authentication as a generic classification framework for authentication methods, which may help in assessing what kind of attacks the system would resist to (this classification is often abused into simplistic judgements such as "2FA is good, 1FA is bad", which more relate to administrative compliance and public relations than actual security).

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
2

It depends from which standpoint you want to increase security, you can add extra forms of authentication and verification, for instance:

Something which might be interesting is to add two-factor authentication. For instance Google offers Google Authenticator. Which requires your users to additionally enter a random generated token (the token is generated on your smartphone).

Apart from authenticating them, you can also check from where in the world they are connecting from. For instance if they were connecting from the Netherlands and suddenly they are logging in from an IP in Brazil, something might be wrong. So it's best to temporarily block the account and send the user an email with a notification and re-activation link. That way if the user trying to log in is legitimate they will be able to re-activate their account. Otherwise they will notice someone in Brazil knows their password. (this isn't fool proof if the users are re-using passwords for their email).

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
1

You can setup Apache (and I assume IIS) to only accept connections where the client has a certificate, and you can require two-factor authentication (Password/One Time key) after that. It seems like overkill, but it's not too hard to implement, if you control the devices your users will connect from (think corporate web mail, where you own the laptop/phone).

There is a good explanation here: http://wiki.cacert.org/ApacheServerClientCertificateAuthentication

TildalWave
  • 10,801
  • 11
  • 46
  • 85
Hybrid
  • 4,198
  • 2
  • 21
  • 23
0

You could:

  1. use a OS always up to date;

  2. use the HTTPS protocol into your login page to secure the login informations;

  3. use the cookies for the users authentication after login;

  4. enable a two-factor authentication (one example is Google Authenticator);

  5. store the IP of the users and the login access to identifying a probably attack;

  6. use a brute-force protection, two-factor authentication is one way, another way is use my last project Colobe to automatically identifying the brute-force attacks and block them.

Nicola
  • 181
  • 3
  • 1
    Hoe does using a linux server makes the authentication process secure? – Shurmajee Apr 10 '13 at 10:08
  • Because linux server is generally more secure than windows server. – Nicola Apr 10 '13 at 10:32
  • 1
    1. the question is about securing the authentication process 2. you cannot simply say that linux is more secure than windows server – Shurmajee Apr 10 '13 at 10:35
  • I have just changed the answer.. Anyway, if there are some bugs in the code or in the OS a hacker can exploit the weaknesses to bypass the login control. – Nicola Apr 10 '13 at 11:11
0

It is enough for most of the websites out there but if you are running a banking or other financial service website you may use two factor authentication.

The other answers have discussed Google authenticator and use of geo-location to track the source of authentication request. If you have a mobile gateway set up you may even send a One Time Password (OTP) on the user's mobile phone to authenticate him in addition to the regular credentials.

Do remember one thing, adding an addition level of authentication does add security but you should never neglect the user experience factor which is essential for any website to be successful. Unless you are running a website that deals with financial transactions do not trouble your users with extra security features. A gaming website or a discussion forum can do with simple authentication.

Shurmajee
  • 7,335
  • 5
  • 28
  • 59
0

One step that could make your site more secure would be to remove the database lookup based authentication from your core web app and database and move that authentication into its own server (or at least a separate process), communicating through a services API. That way, even if someone compromises the website, they don't get easy access to all of your password hashes.

This is an example of privilege separation - moving privileged operations from non-privileged code.

An LDAP server is often used as an authentication server, but care must be taken to use a secure authentication method.

Johnny
  • 1,418
  • 13
  • 19
-1

Sorry guys, but aside from the conventional techniques, which are the minimum you can do these days:

  • HTTPS
  • Cryptography
  • Saving only Hashed passwords

The best technique is to use a combination of username, password, and a random token sent to the user's phone. This way you can increase security, especially around the most vulnerable part (the user), without annoying the final client too much.

It is wishful thinking to presume that common users (non-technical) will use a strong different password for every service online, so that is the best approach.

Reid Rankin
  • 1,082
  • 5
  • 10