- Password encryption
- Never store passwords in plain text
- Ideal is one way encryption
- Don’t use MD5 anymore, good choices are SHA-1, SHA-2 (SHA-256, SHA-512), Whirlpool, Tiger, AES, Blowfish
- The best is Blowfish it’s secure, free, easy, and slow
- Salting passwords
- Salt is an additional data added to the password before encryption, the main purpose of salts is to defend against dictionary attacks
- Unique to each user salts can be created
- Salts can be created using pseudo random string using time functions, in this case salts need to be saved in the database, salts can be hashed as well
- Password requirements
- Require certain length, but not limit length
- Require non-alphanumeric characters
- Ask user to confirm password
- Report password strength to user
- Do not record password hint
- Security questions may be vulnerable to attacks, internet research could reveal information to security questions, user’s friends or family members might know answers to security questions
- Brute force attacks
- Hacker tries all possible passwords over and over again until the correct solution is found
- To strengthen the password allow all characters and long strings
- Enforce clipping level and slow password hashing algorithms as well as timing and throttling
- SSL
- Provides communication security
- Verifies authenticity of remote server
- Encrypts all data exchanged with server
- Prevents snooping, session hijacking
- Requires all assets on a webpage such as JavaScript, CSS, images to be secure
- With SSL you must encrypt all credit card transactions, username/passwords being sent to the server
- Protecting Cookies
- Please read this article
- Regulating Access Privilege
- Least privileges
- Make privileges easy to revoke
- Restrict access to access privilege administration tools
- Divide restricted actions into “privilege areas”
- Regulate access by user access level or category
- Handling Forgotten Passwords
- Ask about privileged information
- Ask security challenge questions
- Since the email of the person is his identity we can send email with with reset token
- Multi factor authentication
- Authentication requires two or more factors
- Something only the user knows, something only the user has, something only the use is
Tag: User Authentication