Safe Authentication Controls
Which of the following is/are required as safe authentication controls at login page?
- Enable SSL
- Define acceptable Inputs
- Use Salted Hash technique
- Disable password save and AutoComplete/fill-in
- All of them
Correct Answer: 5) All of them. On further reading, you will understand what these controls offer and realize each of them is required to protect against different attacks.
- Use SSL to ensure privacy of communications over the Internet. SSL ensures all data sent from the browser to the web server is encrypted. SSL also assures of the authenticity of the server you are communicating with.
- Define acceptable inputs for e.g. accept only alphanumeric and less than 16 characters. Reject everything that does not fit this rule. Follow a strict policy and accept only what is allowed. Validate all user inputs.
- Use a salted hash technique for transmitting passwords, even when you’re using SSL. This ensures two things: one, you’re not vulnerable to a replay attack (via Browser Refresh) and two, passwords cannot be stolen from the submit cache of the browser.
- The “Remember Password” feature is convenient, but very unsafe. Avoid it as far as possible. Ensure that the authentication details stored in cookie does not contain the actual username and password in plaintext. And warn users not to use it from shared computers. Also set AUTOCOMPLETE = “off” to indicate most browsers not to store that field in the password management feature. You can read more on Security issues in ‘Remember Me’ feature.
Safe Authentication Best Practices article tells you ten good practices that ensure your authentication system is safe against an attack.