How to appropriately secure a log in?

2018-06-07 00:22:09

As a more broad question I would like to ask what is the current best strategy for securing a website login. I know all of the basics, like salting a password, hashing the password, and using SSL to encrypt the transmission, but I feel that may not always be enough. What are the best, "hack-proof" methods out there?

Your points are already the most important ones, additionally you can do this:

Use a slow key derivation function like BCrypt to hash the password.

Add the X-Frame-Options to the HTTP header of your login page, so that the page cannot be shown inside an iframe. This can help against clickjacking. In PHP this would look like that: header('X-Frame-Options: DENY'); .

Add the Content-Security-Policy to the HTTP header of your login page. If a browser supports CSP, this can be an effective protection against Cross-Site-Scripting. In PHP it would look like this: header("X-Content-Security-Policy: allow 'self'"); .

Regenerate the session id on the login page, to make session fixation more difficult.

Use HTTPS for the whole site, this avoids lots of problems. If you need to switch between HTTPS and HTTP, then use a separate cookie for authentication, have a look at this example.

Should your site be HTTPS only, then you can add the HTTP Strict Transport Security header. The HSTS can prevent users (that already visited your site once), from calling unsecure HTTP pages. This can help against SSL-strip.

Don't store password at all, but use SRP

http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

链接地址: http://www.djcxy.com/p/21592.html

上一篇: 不使用SSL散列密码的最佳做法

下一篇: 如何适当保护登录？