RE: Secure Login Form

[<benoni.martin () accenture com>]

Hi Blake!

I developped an extranet/internet website for my former companys, and
here is what I can advise you:
- Never use javascript as it can easily be bypassed,
- Always use https for sending login/password,
- If possible, use a an X.509 issued bys a known company (verisign,
Thwate, etc) as it,
- If necessary, use a client certificate as well (you will probably need
to pay them ...),
- Never store a clear-text password in a DB as many companies do, but as
someone else suggested, just store their hashes (SHA-1, SHA-256, ...)

I set this up with ASP/MS SQL Server by the way ...

"I was thinking of using a random number generator to assign the codes.
I am assuming this will also mean that I need a secure way of checking
the database for the code and returning the data? Should https be
implemented here?" ... Hum, this should be performed on the server's
side, and just send back the proposed code to the user (via https of
course).

Don't forget to handle the "Oh God, I forgot my password, what can I do
?", preventing from automatic brute-force attacks with spiders,
registring who do what (depending on your country, you will have to
inform authorities that you log client data !) and so on ...

HTH !

Regards.

PS: You can get in touch offline if you need more information.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jonathan Askew JBASKEW
Sent: mercredi 16 janvier 2008 22:29
To: security-basics () securityfocus com
Subject: Secure Login Form


First of all, I have very limited experience with web development and
programming. That being said, I have been tasked with creating a secure
login form. What I need to accomplish is the following:

1.the user registers their user name and password, and then provides an
access code to prove they have bought the product and should have access
to
the site.
2. The user then enters their username/password into the form in order
to
login.
3. Upon returning to the site, the username and password should be
remembered and the user should not have to enter these again.

I have been looking at various ways to create the login from (php,
javascript, etc.) but I am concerned about the security provided. For
example, the simple examples of javascript logins expose the password by
looking at the page source. Since I am a new to web development, I do
not
feel confident enough to create my own form. Each user needs to have
their
own unique username/pass combo as well. Can anyone suggest some examples
or
point me to a resource to get me started?

Also, this site has not been built yet and this is the first thing they
want done. I need some ideas for generating the access code and then
keeping track of which code has been assigned to which user. I was
thinking
of using a random number generator to assign the codes. I am assuming
this
will also mean that I need a secure way of checking the database for the
code and returning the data? Should https be implemented here?

Thanks in advance for any advice offered. Being new to these
technologies,
I thought I should run everything by those more seasoned.

Blake




This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private 
information.  If you have received it in error, please notify the sender immediately and delete the original.  Any 
other use of the email by you is prohibited.