[Tips] Will you use the Web user logon function?

The user login function on the Web should be the most basic function, but after I have seen the user login function of some sites, I think it is necessary to write an article to teach you how to use the user logon function. The following article tells you that this function may not be as simple as you think. It is a function related to user security. I hope you can refer to the following article

The user login function on the Web should be the most basic function, but after I have seen the user login function of some sites, I think it is necessary to write an article to teach you how to use the user logon function. The following article tells you that this function may not be as simple as you think. It is a function related to user security. I hope you can refer to the following article

The user login function on the Web should be the most basic function, but after I have seen the user login function of some sites, I think it is necessary to write an article to teach you how to use the user logon function. The following article tells you that this function may not be as simple as you think. It is a function related to user security, I hope you can find out in the following article what kind of method is a good user logon function.

Username and password

First, let's talk about the user name and password. This is not the first time this site has talked about it. How to manage your own passwords to let you know how to manage your own passwords, and how to crack your passwords to let you know the computing speed at such a modern speed, it may be easy to crack your password using brute force. Here I want to tell developers how to design the user name and password. The following rules:

Users are limited to enter passwords that are very easy to crack.. For example, qwert, 123456, and password are blacklisted just like twitter restricts users' passwords. In addition, you can limit the length of your password, whether it is case-sensitive, and whether there are numbers. You can use your program for verification. Of course, this may make users feel uncomfortable. Therefore, many websites now provide UX to let users know the strength of their passwords (such as this interesting UX ), in this way, the user can have a choice to tell the user-to ensure security, set the password better first.

Do not save your password in plain text. Just as how to manage your own passwords, users often use the same ID and password to log on to many websites. Therefore, if your website is stored in plain text, it would be disastrous for users if your data is circulated by bad employees. Therefore, the user's password must be encrypted and saved. It is best to use irreversible encryption, such as an irreversible encryption algorithm with a hash algorithm such as MD5 or SHA1. CSDN once saves the user's password in plain text. (In addition, for the conduct of Chinese companies and the management methods of relevant departments, I cannot guarantee that your passwords are encrypted on the Chinese websites. I think, as a conscientious person, we should encrypt and save users' passwords)

Whether to allow the browser to save the password. We have more than N methods to prevent the browser from saving the user name and password. However, this may be unpleasant for users. In the real world, no one can remember so many passwords. Many users may use some password management tools to save their passwords. Browsers are just one of them. Whether to let the browser save this requires you to make a decision. The key point is to check whether your system's security level is demanding. If so, do not let the browser Save the password, and tell the user clearly on the website-the safest place to save the password is your brain.

Transmission of passwords on the Internet. Because HTTP is a plaintext protocol, the user name and password are also sent in plaintext on the Internet, which is insecure. You can read this article to understand it. HTTPS must be used for encrypted transmission. However, many websites in China still use ActiveX controls for Web login, which may be the reason why IE6 still exists. I usually understand that these ActiveX controls are used to record programs on the anti-keyboard. However, I still think ActiveX controls should not exist, because ActiveX controls cannot be seen on many important websites outside China.

User Logon status

First of all, I want to tell you that HTTP is a stateless protocol, that is, this Protocol cannot record the user access status, and each request is independent and unrelated, one stroke is a stroke. Our websites are designed to form multiple pages. During the page Jump process, we need to know the user status, especially the user login status, in this way, after the page jump, we will know whether users can have the permission to operate some functions or view some data.

Therefore, each page needs to authenticate the user's identity.. Of course, we cannot allow users to enter their usernames and passwords on each page. This will make users feel that our website wants to be an SB. To achieve this function, the most widely used technology is the browser cookie. we store the user login information in the client cookie. In this way, each page obtains the user logon information from the cookie to record the status and verify the user. However, do you actually use cookies? Below are some principles for using cookies.

Do not store users' passwords in cookies. No encrypted password is supported. This password can be obtained and tried offline. Therefore, you must not store your password in cookies. I saw too many sites doing this.

Correct design of "Remember password". This feature is a security risk. I think not all programmers know how to design it. Below are some methods for your reference.

1) store three things in cookies --User Name,Logon Sequence,Login token.

User Name: Plaintext storage.

Logon Sequence: A random number encrypted by MD5. It is updated every time you log on with a password.

Login token: A random number encrypted by MD5. Only one logon session is valid. The new logon session updates it.

2) The above three items will exist on the server. The server's verification user needs to verify these three items in the client cookie.

3) Why is it designed like this? Because,

A)Login tokenIs a single instance login. This means that a user can only have one instance.

B)Logon SequenceIt is used for theft detection. If the user's cookie is stolen and the hacker uses this cookie to access the website, our system considers it as a legal user and then updatesLogin token", And the real user access system found that only"User NameAndLogon Sequence"Same, but"Login token"No, in this case, the system will know that this user has been stolen, so the system can clearLogon SequenceAnd Login tokenIn this way, all cookies can be invalidated and the user is required to enter the password. And warn the user of system security.

Do not allow cookies to access all operations. Otherwise, it is an XSS attack. For details about this function, refer to the XSS attack on Sina Weibo. You must enter the password for the following features:

1) modify the password.

2) modify the email. (The email is used to retrieve the user password)

3) users' privacy information.

4) User consumption function.

Password retrieval

The password retrieval function must be provided. However, many friends do not know how to design this function. We have a lot of designs for password retrieval. Let's review them one by one.

Never use Security Q &. It turns out that this process is annoying, and users cannot properly set security questions and answers. What, my birthday, my mother's birthday, and so on. Because today's Internet is different from before, because SNS, today's Internet is more real than before. I can go to facebook, happy, Renren, linkedIn shows you a lot of real information. With this information, I can use Security Q & A to reset your password. Facebook's security Q & A is very powerful, and you need to identify people through photos.

Do not reset the User Password. This may cause malicious attacks to the user's password. Of course, you need to send an email to the user for confirmation. The user clicks a link in the email and you can reset it. I do not recommend this method, because users usually take notes and write down the password, and then log on to the system, because the "Remember password" function is used when logging on to the system, as a result, the user will not modify the password, so that either the written password is stolen or the password is forgotten.

Better practice-reset by email. When a user applies for password retrieval, the system generates an MD5 unique random string (which can be stored in the database through UID + IP + timestamp + random number, then, set the upper limit (for example, within 1 hour) and send an email to the user. The connection contains the MD5 string link, you can click the link to reset the new password.

Better practice-multi-factor authentication. For example, you can enter a verification code by using a mobile phone or email. Mobile phone + email may not be sure, because the mobile phone may be lost, and my mobile phone can access my mailbox. Therefore, use Alibaba Cloud security, SecureID, or manually verify the user's identity. Of course, this mainly depends on the security level of your system.

Password detection and defense

Use verification code. The verification code is a temporary Random verification code generated in the background. This verification code is generally an image that is hard to recognize by a computer. In this way, the user's password can be tried in the form of a program. It turns out that this is the simplest and most effective method. Of course, it is difficult for users to enter verification codes that are invisible to the naked eye. For example, Google requires you to enter a verification code when it finds that an IP address sends a large number of searches. When he finds that the same IP address has registered more than three gmail mailboxes, he needs to send you a verification code by text message or by phone.

User Password failures. The maximum number of failed password reset attempts. If too many failed attempts are made, the account is locked. You need to reactivate the account by retrieving the password. However, this function may be used by malicious users. The best way is to increase the time cost of the attempt (a previously mentioned decryption algorithm that increases the time cost ). For example, the interval between two password attempts is 5 seconds. Three or more errors occur. The account is temporarily locked for 30 seconds, the account is locked for more than five times for 1 minute, and the account is locked for more than 10 times for 4 hours ......

Global System defense. The above defense only targets a certain user. Malicious users are aware of this, so they generally use "botnets" to try a bunch of user passwords, so the above method may not be good enough. We need to monitor the number of failures of all passwords in the system's full local area. Of course, this requires data that is not normally supported when we are not attacked. For example, if your system has an average of 5000 password errors every day, you can think that when the number of password errors exceeds the limit, and the time is relatively concentrated, it indicates that there is a hacker attack. What do you do at this time? Generally, the most common method is to increase the time cost for all users to try again after entering the wrong password.

References

• OWASP Guide To Authentication
• Dos and Don't 'ts of Client Authentication on the Web (PDF)
• Charles Miller's Persistent Login Cookie Best Practice
• Wikipedia: HTTP cookie
• Personal knowledge questions for fallback authentication: Security questions in the era of Facebook

Article from: cool shell Network