In view of the exposure of the msdn plaintext password problem, various websites are reflecting on their neglect of network security, and some shameless websites are using this list to add their registered users, opportunities and Risks coexist. By the way, users will also raise security requirements for various software systems based on this incident. The security of software systems in the future will also be considered and worth your reference.
Address: http://coolshell.cn/articles/5353.html
Body:
The user login function on the web should be the most basic function. However, after I have read some site User Login functions, I think it is necessary to write an articleArticleTeaches you how to log on to a user. The following article tells you that this function may not be as simple as you think. It is a function related to user security, I hope you can find out in the following article what kind of method is a good user logon function.The following content must be the same as the original document and indicate the author and source..
First, let's talk about the user name and password. This is not the first time this site has talked about it. How to manage your own passwords to let you know how to manage your own passwords, and how to crack your passwords to let you know the computing speed at such a modern speed, it may be easy to crack your password using brute force. Here I want to tell developers how to design the user name and password. The following rules:
- Restrict users to enter passwords that are very easy to crack. For example, qwert, 123456, and password are blacklisted just like Twitter restricts users' passwords. In addition, you can limit the length of your password, whether the password is case-sensitive, and whether there are digits. You can use yourProgramPerform verification. Of course, this may make users feel uncomfortable. Therefore, many websites now provide UX to let users know the strength of their passwords (such as this interesting UX ), in this way, the user can have a choice to tell the user-to ensure security, set the password better first.
- Do not save your password in plain text. Just as how to manage your own passwords, users often use the same ID and password to log on to many websites. Therefore, if your website is stored in plain text, it would be disastrous for users if your data is circulated by bad employees. Therefore, the user's password must be encrypted and saved, preferably with irreversible encryption, such as MD5 or sha1 with hashAlgorithmIrreversible encryption algorithm. Csdn once saves the user's password in plain text. (In addition, for the conduct of Chinese companies and the management methods of relevant departments, I cannot guarantee that your passwords are encrypted on the Chinese websites. I think, as a conscientious person, we should encrypt and save users' passwords)
- Whether to allow the browser to save the password. We have more than n methods to prevent the browser from saving the user name and password. However, this may be unpleasant for users. In the real world, no one can remember so many passwords. Many users may use some password management tools to save their passwords. Browsers are just one of them. Whether to let the browser save this requires you to make a decision. The key point is to check whether your system's security level is demanding. If so, do not let the browser Save the password, and tell the user clearly on the website-the safest place to save the password is your brain.
- Transmission of passwords on the Internet. Because HTTP is a plaintext protocol, the user name and password are also sent in plaintext on the Internet, which is insecure. You can read this article to understand it. HTTPS must be used for encrypted transmission. However, many websites in China still use ActiveX controls for Web login, which may be the reason why IE6 still exists. I usually understand that these ActiveX controls are used to record programs on the anti-keyboard. However, I still think ActiveX controls should not exist, because ActiveX controls cannot be seen on many important websites outside China.
User Login status first, I want to tell you that because HTTP is a stateless protocol, that is, this Protocol cannot record the user access status, each request is independent and unrelated. Our websites are designed to form multiple pages. During the page Jump process, we need to know the user status, especially the user login status, in this way, after the page jump, we will know whether users can have the permission to operate some functions or view some data.
Therefore, each page needs to authenticate the user's identity.. Of course, we cannot allow users to enter the user name and password on each page, which makes the user feel that our website is quite sb. To achieve this function, the most widely used technology is the browser cookie. we store the user login information in the client cookie. In this way, each page obtains the user logon information from the cookie to record the status and verify the user. However, do you actually use cookies? Below are some principles for using cookies.
- Do not store users' passwords in cookies. No encrypted password is supported. This password can be obtained and tried offline. Therefore, you must not store your password in cookies. I saw too many sites doing this.
- Correct design of "Remember password". This feature is a security risk. I think not all programmers know how to design it. The general design is: if you select this function, the system will generate a cookie. The cookie includes the user name and a fixed hash value. This fixed hash value is always used. In this way, you can log on to all devices and customers, and multiple users can log on at the same time. This is not very safe. The following are some safer methods for your reference:
(--Updated on February 26,. There were some minor errors in the original text, and they were unclear. I adjusted it again --)
1) store three things in cookies -- User Name , Logon Sequence ,Login token .
User Name : Plaintext storage.
Logon Sequence : A random number hashed by MD5. It is updated only when the user is forced to enter the password (for example, the user has modified the password ).
Login token : A random number hashed by MD5. Only one logon session is valid. The new logon session will update it.
2) The above three items will exist on the server. The server's verification user needs to verify these three items in the client cookie.
3) what kind of effect will this design have,
A) Login token Is a single instance login. This means that a user can only have one login instance.
B) Logon Sequence It is used for theft detection. If the user's cookie is stolen and the hacker uses this cookie to access the website, our system considers it as a legal user and then updates Login token ", And when the real user comes back to access, the system finds that only" User Name And Logon Sequence "Same, but" Login token "No, in this case, the system will know that this user may be stolen, so the system can clear and change Logon Sequence And Login token In this way, all cookies can be invalidated and the user is required to enter the password. And warn the user of system security.
4) Of course, There are still some problems with the above design, such as logging on to different devices of the same user, or even using different browsers on the same device. . One device will Login token And Logon Sequence Failure, so that other devices and browsers need to log on again, and may cause Cookie Theft. Therefore, you still need to consider- IP address ,
A) if you log on using a password, we do not need to update the" Logon Sequence And Login token "(But the Cookie needs to be updated ). Because we think the password is only known to real users.
B) If Same IP Address Then, we do not need to update the" Logon Sequence And Login token "(But the Cookie needs to be updated ). Because we think that the same user has the same IP address (of course, the same IP address also exists in the same LAN, but we think this LAN can be controlled by users. This function is not recommended in Internet cafes ).
C) if ( Different IP addresses && Login without a password ), Then," Login token It will change between multiple IP addresses (the logon token is changed back and forth between two or more IP addresses). After a certain number of times, the system will feel very likely to be stolen, and the system will clear" Logon Sequence And Login token "To invalidate the cookie and force the user to enter the password (or ask the user to change the password) to ensure that the cookies on multiple devices are consistent.
- Do not allow cookies to access all operations. Otherwise, it is an XSS attack. For details about this function, refer to the XSS attack on Sina Weibo. You must enter the password for the following features:
1) modify the password.
2) modify the email. (E-mails are usually used to retrieve user passwords. It is best to change the password by sending an email or sending a text message, or simply do not change the account name by email)
3) users' privacy information.
4) User consumption function.
- Weigh the cookie expiration time.If it never expires, it will have a good user experience, but it will also make the user quickly forget the login password. If you set the expiration time, such as two weeks and one month, it may be better, but after two weeks and one month, the user will still forget the password. In particular, if a user saves a permanent cookie on some public computers, the account is leaked. Therefore, we need to weigh the cookie expiration time.
The password retrieval function must be provided. However, many friends do not know how to design this function. We have a lot of designs for password retrieval. Let's review them one by one.
- Never use Security Q &. It turns out that this process is annoying, and users cannot properly set security questions and answers. What, my birthday, my mother's birthday, and so on. Because today's Internet is different from before, because SNS, today's Internet is more real than before. I can go to Facebook, happy, Renren, linkedIn shows you a lot of real information. With this information, I can use Security Q & A to reset your password. Here we need to talk about Facebook. Facebook's security Q & A is very powerful, and you need to identify people through photos.
- Do not reset the User Password. This may cause malicious attacks to the user's password. Of course, you need to send an email to the user for confirmation. The user clicks a link in the email and you can reset it. I do not recommend this method, because users usually take notes and use this hard-to-remember password to log on to the system, because the "Remember password" function is used when logging on to the system, as a result, the user will not modify the password, so that either the written password is stolen or the password is forgotten.
- Better practice-reset by email. When a user applies for password retrieval, the system generates an MD5 unique random string (which can be stored in the database through uid + IP + timestamp + random number, then, set the upper limit (for example, within 1 hour) and send an email to the user. The connection contains the MD5 string link, you can click the link to reset the new password.
- Better practice-multi-factor authentication. For example, you can enter a verification code by using a mobile phone or email. Mobile phone + email may not be sure, because the mobile phone may be lost, and my mobile phone can access my mailbox. Therefore, use Alibaba Cloud security, SecureID (a changed 6-digit token), or manually verify the user's identity. Of course, this mainly depends on the security level of your system.
Password detection and defense
- Use verification code. The verification code is a temporary Random verification code generated in the background. This verification code is generally an image that is hard to recognize by a computer. In this way, the user's password can be tried in the form of a program. It turns out that this is the simplest and most effective method. Of course, it is difficult for users to enter verification codes that are invisible to the naked eye. For example, Google requires you to enter a verification code when it finds that an IP address sends a large number of searches. When he finds that the same IP address has registered more than three Gmail mailboxes, he needs to send you a verification code by text message or by phone.
- User Password failures. The maximum number of failed password reset attempts. If too many failed attempts are made, the account is locked. You need to reactivate the account by retrieving the password. However, this function may be used by malicious users. The best way is to increase the time cost of the attempt (a previously mentioned decryption algorithm that increases the time cost ). For example, the interval between two password attempts is 5 seconds. Three or more errors occur. The account is temporarily locked for 30 seconds, the account is locked for more than five times for 1 minute, and the account is locked for more than 10 times for 4 hours ...... However, this can cause malicious users to use scripts for attacks. Therefore, it is best to add the verification code. If the verification code is incorrect for too many times, logon is disabled, but LP is disabled.
- Global System defense. The above defense only targets a certain user. Malicious users are aware of this, so they generally use "botnets" to try a bunch of user passwords, so the above method may not be good enough. We need to monitor the number of failures of all passwords in the system's full local area. Of course, this requires data that is not normally supported when we are not attacked. For example, if your system has an average of 5000 password errors every day, you can think that when the number of password errors exceeds the limit, and the time is relatively concentrated, it indicates that there is a hacker attack. What do you do at this time? Generally, the most common method is to increase the time cost for all users to try again after entering the wrong password.
Finally, for user login, using third-party oauth and openid is also a good choice.