Digg it! If you're new here, you may want to subscribe to my RSS feed. This would mean that you'll never miss a post! You can also subscribe via email if you look in the sidebar!
Thanks for visiting!
Sean
Tag Archive for 'Security'
If you liked this post, perhaps you'd like to buy me a coffee?
Was just browsing around and found an Ajax login system I’m going to try implement on whatever project I have next! Whats the Pros and Con’s for using an Ajax system?
Pros:
- User does not need to refresh the page to login.
- User is notified instantly on incorrect username/password combination.
- Overall user experience is more seamless.
- Password is not sent in plain text ever (more secure than traditional system).
- Javascript convenience with server-side security (uses PHP/MySQL).
- Uses one-time use random seed to hash the password before sending (making interceptions useless).
Cons:
- System is more prone to brute force attacks.
- Can be minimized by adding a delay after a certain number of attempts per username or per client.
- User may expect a login button.
- One could still be added without reloading the page.
- Older versions of Safari cannot disable a password field.
- This code uses the MD5 encryption algorithm, which has since been proven to be less secure than previously thought. If you use this code, I strongly recommend you switch to a more secure encryption algorithm, such as SHA-1. For sites were security is not crucial, MD5 should suffice.
I have never used Ajax that much, those pros, and cons are taken from the scripts website which can be located here. However, it is getting more and more popular and it certainly does provide a certain “wow” factor! Either way, just thought I’d tell you about it in case anyone else is looking for one!
If you liked this post, perhaps you'd like to buy me a coffee?
The Average User
Yes = -1 Point. No = 1 Point
1. Is your password below six characters?
2. Is your password just upper or lowercase letters?
3. Is your password numberless?
4. You use the same password on every website?
5. Your password isn’t a word right? In any language?
6. Your password isn’t a phrase?
7. Your password isn’t a character in a movie, a movie, a religous figure, place or event, band or author?
8. Your password isn’t a name or nickname?
9. Your password isn’t a word backwards?
10. Your password isn’t a simple word with numbers replacing letters? Example: pa55w0rd
11. Your password isn’t a simple assortment of letters across the keyboard. Example : qwerty
The Obsessed Security User:
Yes = 3 Points No = 0 points
1. Your password is a random assortment of letters and numbers you have memorisied.
2. Your password contains special characters.
3. Your password is over ten characters.
4. Your password uses uppercase letters, lowercase letters, numbers and special characters.
5. Your password is an MD5 or Sha1 string of a password you know.
Results:
-20 to 5 points = Reconsider your password. Its not secure.
5 to 11 points = Your password is good, it could be better but at least your trying!
11 - 16 points = Your password is definately secure! Well done!
16+ points = Well.. You’ve taken every precaution! Noone’s going to be hacking you any time this century hey?
If you liked this post, perhaps you'd like to buy me a coffee?
This article is really based for PHP. But can work in any language really, just some general tips.
1. Usernames and passwords should be 6 characters long, or more.
2. Don’t give any extra information on a failed login.
This I belive is one of the most important parts of making your login system, you see many websites with the "Incorrect Password", and as helpful as it is it really is a security risk, on any scripts I make myself I ALWAYS go for the old reliable "Incorrect Username / Password" and so should you, why give the crackers more information than they need?
3. Passwords in the user account table of your database must be encrypted.
MD5 them or Sha1 them, its an open debate on which you do, which is more secure etc. etc., in the end, if the cracker has access to the database your in a bad place already! But why give them all the user passwords?
4. Never use "admin" or "root" as your adminstrator username.
This is one is pretty important, usually what I do here is set up my own account as admin, then have root and admin as fake accounts that log the ip’s of people who try to log into them, you could go abit more extreem here though too and ban the IP from the website straight away when they try to login, i tend to push away from that though, log the amount of attempts and what not!
5. Create a seperate area for administrators to login.
I only ever saw this technic used when working at Absolute Events, the admin centre was actually based off the address http://www.absoluteevents.ie/password of course there was a login after that, but it does through off the casual person and makes it quiet difficult, the only way this is really useful though is if you ONLY have Admin settings inside this centre, and if the user logs into the system normally they are like a normal user.
6. Logging users last login and IP.
This is one of my favorites, when the user logs in just use the PHP time() function and store it in the database, then fetch their IP and store it in the database aswell. From there you can tell the user their last login and IP, example: You last logged in on 09/06/2007 at 3.00pm with the IP: 127.0.0.1. From there the user can easily tell if they did not log in at that time and report it to an Administrator.
7. Use the maxlength attribute in forms..
This is another handy one to consider, stops the average user shoving nasty code in there! 
And there you have it! A couple of basics on keeping your website secure, remember though, no script is 100% secure! I have only touched on the top of security in login systems here, Jeff Skrysak covers what I have just talked about and more, including SQL injection, something I haven’t even really put in here, which is a huge risk!
If you liked this post, perhaps you'd like to buy me a coffee?
