Author Topic: Login Security  (Read 1782 times)

0 Members and 1 Guest are viewing this topic.

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7917
  • Rating: +373/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Login Security
« on: December 08, 2015, 02:10:14 pm »
So yeah guys,
You probably noticed that due to the recent hacking stuff I started making an SMF mod to drastically improve login security.

Well, how it goes with security it is best if it is discussed by multiple people, thus me making this thread (even though I believe my concepts to be secure currently, it's best to check back with others).

The current code can be found here: https://github.com/Sorunome/SMF-bcrypt


The concepts are:

Storing passwords
Using PHP's password_hash with PASSWORD_DEFAULT to hash+salt the passwords, storing the result in the DB.
I chose this way as it currently uses bcrypt with the perspective to the future to automatically upgrade to a stronger alg without the need to change any code

Transmitting passwords to server
Even though this should be fairly simple as we use https, it's still a good idea to add some extra security to that, especially since I plan to release this mod to normal SMF people who may not have https.
For that, as soon as the user hits login, there will be an AJAX request to fetch an RSA public key which was created in that instant and will only be valid for one min. The client will encrypt the password using that RSA public key, the server will then decrypt using the stored private key. Again, these temporary keys are only valid for one minute and can only be used once, they will be deleted right after being used.

Login cookies
For this I generate a random string (16 bytes) which gets hashed with password_hash using the PASSWORD_DEFAULT method. The actual random string will be set as cookie, the hash reaches the database. So each page load I check against that.
In addition each hash/pwd goes along with an index so that multiple sessions are possible.



So, any thoughts?

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6161
  • Rating: +318/-36
  • C'est la vie
    • View Profile
    • Eeems
Re: Login Security
« Reply #1 on: December 08, 2015, 02:55:42 pm »
The client side stuff is all handled via JavaScript I assume. What happens if the user has JavaScript disabled (booo)?
/e

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7917
  • Rating: +373/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Login Security
« Reply #2 on: December 08, 2015, 03:00:15 pm »
If the user has JS disabled the password will be sent as-presented to the server and will be handled there, the user still gets to log in.

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6161
  • Rating: +318/-36
  • C'est la vie
    • View Profile
    • Eeems
Re: Login Security
« Reply #3 on: December 08, 2015, 03:05:18 pm »
If the user has JS disabled the password will be sent as-presented to the server and will be handled there, the user still gets to log in.
Sounds good. So it's just more secure to leave JavaScript enabled on the site :P
/e

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7917
  • Rating: +373/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Login Security
« Reply #4 on: December 08, 2015, 03:05:37 pm »
If the user has JS disabled the password will be sent as-presented to the server and will be handled there, the user still gets to log in.
Sounds good. So it's just more secure to leave JavaScript enabled on the site :P
Exactly, that's the point :P

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline TravisE

  • LV4 Regular (Next: 200)
  • ****
  • Posts: 182
  • Rating: +33/-0
    • View Profile
    • ticalc.org
Re: Login Security
« Reply #5 on: December 08, 2015, 04:44:26 pm »
Hehe, that's better than a situation where it's more secure to turn on Flash or Java, at least. :P
ticalc.org staff member—http://www.ticalc.org/