How to design a secure user login function

The user login function is the most basic function of the Web application system. It is related to the security of user data and application system data. Designing a secure user login function involves the following aspects.
(1) Conventional discussion-Password
1. password length and complexity Constraints
Restrict users to enter passwords that are very easy to crack, such as qwert, asdfg, 123456, and password. Refer to the design of Twitter and Facebook to blacklist such passwords, passwords in the blacklist are not allowed. At the same time, the length and complexity of the user's password are also checked, requiring the user to set a sufficient length and the complexity of the password conforms to the security policy.
In terms of password security, user experience and security may be relative. Restrict the length and complexity of certain passwords and passwords, which may not be very good for user experience. Therefore, many successful and well-designed social networking websites (SNS) provide UX to let users know what their password strength is, so that users can have a choice, the purpose is to tell the user-to ensure security, set the password better first.
2. Do not save your password in plain text
Users can log on to many websites with the same ID and password. Therefore, if the password is stored in plain text in the Web application system, it will be disastrous for users to spread the data by bad employees. Therefore, the user's password must be encrypted and saved, preferably with irreversible encryption, but do not directly use encryption algorithms such as MD5 or sha1.
3. Do not allow the browser to save the password
It is very convenient for the browser to remember the password, because it is impossible for the user to remember so many passwords. It can only help with some tools to help remember them. The browser is just one of them. However, for the security of user data, there are many ways to get the password that the browser remembers. Therefore, do not allow the browser to save the user name and password.
(2) User Logon status
HTTP is a stateless protocol that cannot record the user access status. Each user request is independent and unrelated. Our web application systems are designed to form multiple pages. During the page Jump process, we need to know the user status, especially the user logon status, in this way, after the page jump, we will know whether users can have the permission to operate some functions or view some data.
Each page needs to authenticate the user's identity. Of course, we cannot allow users to enter user names and passwords on each page. To achieve this function, the Web application system stores the user login information in the client's cookie, and each page obtains the user login information from this cookie, this allows you to record the status and verify the user. However, the use of cookies is not simple. The following are some principles for using cookies.
1. Do not store users' passwords in cookies
Do not store users' passwords in cookies. encrypted passwords do not work. This password can be obtained and tried offline. Therefore, the user's password must not be stored in the cookie.
2. Correct design: "Remember the password"
This function is a security risk. Generally, the user selects this function and the system generates a cookie. Cookie includes the user name and a fixed hash value. This fixed hash value is always used. In this way, you can log on to all devices and customers, and multiple users can log on at the same time. A safer approach is:
1) in the cookie, save three things-user name, logon sequence, and login token.
? Username: plaintext storage.
? Logon sequence: a random number hashed by MD5. It is updated only when the user is forced to enter the password (for example, the user has modified the password ).
? Logon token: a random number hashed by MD5. It is valid only for one logon session and will be updated for the new logon session.
2) The above three elements will exist on the server, and the server needs to verify the three elements in the client cookie.
A logon token is used to log on to a single instance. This means that a user can only have one logon instance. The logon sequence is used for theft detection.
If the user's cookie is stolen and the hacker uses this cookie to access the website, our system considers it as a legal user and then updates the "Login token ". When a real user returns for access, the system finds that only the "user name" is the same as the "Login Sequence", but the "Login token" is incorrect. In this way, the system will know that, this user may be compromised. Therefore, the system can clear and change the logon sequence and logon token, so that all cookies can be invalidated and the user is required to enter the password. And warn the user of system security.
3. Do not allow cookies to access all operations
Refer to the XSS attack on Sina Weibo, even if the cookie has the permission to access all operations after logon. You must enter the password for the following features:
? Modify the password.
? Modify email.
? User privacy information.
? The user's Consumption Function involving money.
(3) password retrieval
The password retrieval function must be provided. Currently, the common password retrieval functions include:
1) Security Q &.
It turns out that this process is annoying, and users cannot properly set security questions and answers. What, my birthday, my mother's birthday, and so on. Because today's Internet is different from the previous one. Due to SNS, today's Internet is more real than before. on Facebook, happy, Renren, and LinkedIn, we found a lot of real information.
2) reset the user's password.
This may expose users' passwords to malicious attacks.
3) safe practices-reset by email.
When a user applies for password retrieval, the system generates an MD5 unique random string (which can be stored in the database through uid + IP + timestamp + random number, then, set the upper limit (for example, within 1 hour) and send an email to the user. The connection contains the MD5 string link, you can click the link to reset the new password.
4) more secure practices-multi-factor authentication.
For example, you can enter a verification code by using a mobile phone or email. You can also use a digital certificate or a dynamic password. Whether multiple authentication is used depends on the importance of the web application system.
(4) defense against brute-force cracking
1) Use the verification code.
The verification code is a temporary Random verification code generated in the background. This verification code is generally an image that is hard to recognize by a computer. In this way, the user's password can be tried in the form of a program.
It turns out that this is the simplest and most effective method. Of course, it is difficult for users to enter verification codes that are invisible to the naked eye. For example, Google requires you to enter a verification code when a large number of searches are sent by an IP address.
2) User Password failures
Set the maximum number of failed passwords. If too many failed passwords are set, the account is locked. You need to reactivate the account by retrieving the password.
However, this function may be used by malicious users, resulting in unavailability of user accounts (a disguised Denial-of-Service attack ). A better way is to combine the IP address for verification, while increasing the time cost of trying to crack. For example, the interval between two password attempts is 5 seconds. Three or more errors occur, the account is temporarily locked for 30 seconds, the account is locked for more than 5 times for 1 minute, and the account with more than 10 errors is locked for 4 hours. If you find that there are too many errors from the same IP address, the correct way is to prohibit the user from logging on to this IP address, rather than simply prohibiting the user from logging on.