The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.
1. Prerequisites
Implementing a secure authentication mechanism not only meets several key security goals at the same time, but also at the expense of other goals. such as ease of use, cost, and functionality.
2, the basic requirements to prevent misuse of password modification
Some basic requirements, written down, can also be consulted later.
1. Add a simple picture verification code, basically ensure that the person is operating, not the machine;
2. This feature can only be accessed from a session that has been authenticated;
3. Do not provide a username directly in any way, or use a hidden form field or cookie to provide a user name;
4. To prevent an attacker from using a session hijacking vulnerability, cross-site scripting, or forgetting to close a page for unauthorized access, the user should be required to reenter the existing password;
5. In order to prevent the input error, the new password to enter two times, by the way check two times the password is consistent;
6. If it is an important system, multiple use of the failed password modification function, it is likely to be attacked;
3, to prevent the misuse of "password back" basic requirements
Password retrieval may be the most vulnerable place now, some basic requirements, write down, you can refer to later.
? Add a simple picture verification code, basically ensure that the person is operating, not the machine;
? When the user forgets the password, need important system, preferably through the unconventional way to complete password retrieval, such as to call center call, send traditional mail to provide the latest authentication information, or automatically freeze for a period of time;
? SMS, e-mail and other ways are likely to cause loopholes, but this seems to be the cornerstone of the modern internet economy, if the mobile phone dropped, then self-blessing it ....
? Do not use any password "hint", the attacker can use the obvious hint to launch the attack;
? Do not provide a user name directly in any way, or use a hidden form field or cookie to provide a user name;
? The problem of retrieving the password is best to be random enough to make sure the attacker can't guess it easily, but ... A lot of problems, not black and white, but balance, is gray ...
? Finally, the user through a lot of tests, the completion of the password retrieval, is generally to send users a re-activation of the URL e-mail, even if this step, do not reveal the user's previous password and other information, if it is to generate a new password by SMS to the user, but also to ensure that the new password is enough to avoid the attacker guess
Watch your door.-Ensure the security of the authentication mechanism (5)-Prevent misuse of password modification and password retrieval