When developing websites, no matter how small, you always want to use best practices. Use sound website security practices no matter if you are protecting vital personal information or not. With all my applications I perform a security review just to make sure I covered all the angles. Because I re-use code and best practices from website to website, I am basically covered, but security reviews are a necessary step - period.
Here I will go over my top 5 steps and recommendations about securing a logon area to a website. No rocket science here. Just common sense steps to hopefully thwart trouble.
One, validate the input data to avoid SQL Injection Attacks. Use “RequiredValidators”, “RegularExpressionValidators”, and parameterized queries. Not only validate the input on the web page, but also before sending the request to the database. Double-check!
Two, lockout accounts after 5 (or less) consecutive unsuccessful logon attempts to stop dictionary attacks and applications that sit and try passwords over and over. Don't notify the end user that the account has been locked. If it is indeed a mischevious person attempting to logon to the website, let them get frustrated trying to access a locked out account.
Three, log unsuccessful and successful logon attempts to the website including IP Address. Log the username and Date and Time of the attempt as well as the clear text password for unsuccessful logons. Do not log passwords for successful logons, unless it is the hashed version. Clear this log regularly after each review.
Four, establish real-time notification thresholds on total logon attempts and unsuccessful logon attempts to the website that immediately notify someone of irregular logon behaviors. This will vary from application to application. For example, an email message might be sent to the webmaster if 30 consecutive unsuccessful logon attempts were made on the website in the last 5 minutes.
Five, have a process that regularly deactivates user accounts that have been unused after 'X' days or months to avoid someone logging into a dormant account.
Of course, you also need to use good judgement when allowing users to register on the website. I recommend the following:
One, require passwords at least 8 characters in length, not the same as the username, and including a mixture of letters (uppercase and lowercase), numbers, and characters. This is a tough one to inforce to even the website owner.
Two, hash all passwords using one-way hashing. This means you cannot email the user their password. You need to send them a new one and require them to change it on the next logon.
Personally, I think if you have done the above actions when it comes to user accounts and the logon area, you have done a lot more than most websites and have good security in place.
|
Main
News
 
 
Green Tea
 
 
.NET Development
 
 
Enterprise Library
Patterns & Practices
|