If you're new here, you may want to subscribe to my RSS feed. This would mean that you'll never miss a post! You can also subscribe via email if you look in the sidebar!
Thanks for visiting!
Sean

This article is really based for PHP. But can work in any language really, just some general tips.

1. Usernames and passwords should be 6 characters long, or more.

2. Don’t give any extra information on a failed login.
This I belive is one of the most important parts of making your login system, you see many websites with the "Incorrect Password", and as helpful as it is it really is a security risk, on any scripts I make myself I ALWAYS go for the old reliable "Incorrect Username / Password" and so should you, why give the crackers more information than they need?

3. Passwords in the user account table of your database must be encrypted.
MD5 them or Sha1 them, its an open debate on which you do, which is more secure etc. etc., in the end, if the cracker has access to the database your in a bad place already! But why give them all the user passwords?

4. Never use "admin" or "root" as your adminstrator username.
This is one is pretty important, usually what I do here is set up my own account as admin, then have root and admin as fake accounts that log the ip’s of people who try to log into them, you could go abit more extreem here though too and ban the IP from the website straight away when they try to login, i tend to push away from that though, log the amount of attempts and what not!

5. Create a seperate area for administrators to login.
I only ever saw this technic used when working at Absolute Events, the admin centre was actually based off the address http://www.absoluteevents.ie/password of course there was a login after that, but it does through off the casual person and makes it quiet difficult, the only way this is really useful though is if you ONLY have Admin settings inside this centre, and if the user logs into the system normally they are like a normal user.

6. Logging users last login and IP.
This is one of my favorites, when the user logs in just use the PHP time() function and store it in the database, then fetch their IP and store it in the database aswell. From there you can tell the user their last login and IP, example: You last logged in on 09/06/2007 at 3.00pm with the IP: 127.0.0.1. From there the user can easily tell if they did not log in at that time and report it to an Administrator.

7. Use the maxlength attribute in forms..
This is another handy one to consider, stops the average user shoving nasty code in there!

And there you have it! A couple of basics on keeping your website secure, remember though, no script is 100% secure! I have only touched on the top of security in login systems here, Jeff Skrysak covers what I have just talked about and more, including SQL injection, something I haven’t even really put in here, which is a huge risk!