General Discussion > Web Programming and Design

Login Security

(1/2) > >>

Sorunome:
So yeah guys,
You probably noticed that due to the recent hacking stuff I started making an SMF mod to drastically improve login security.

Well, how it goes with security it is best if it is discussed by multiple people, thus me making this thread (even though I believe my concepts to be secure currently, it's best to check back with others).

The current code can be found here: https://github.com/Sorunome/SMF-bcrypt


The concepts are:

Storing passwords
Using PHP's password_hash with PASSWORD_DEFAULT to hash+salt the passwords, storing the result in the DB.
I chose this way as it currently uses bcrypt with the perspective to the future to automatically upgrade to a stronger alg without the need to change any code

Transmitting passwords to server
Even though this should be fairly simple as we use https, it's still a good idea to add some extra security to that, especially since I plan to release this mod to normal SMF people who may not have https.
For that, as soon as the user hits login, there will be an AJAX request to fetch an RSA public key which was created in that instant and will only be valid for one min. The client will encrypt the password using that RSA public key, the server will then decrypt using the stored private key. Again, these temporary keys are only valid for one minute and can only be used once, they will be deleted right after being used.

Login cookies
For this I generate a random string (16 bytes) which gets hashed with password_hash using the PASSWORD_DEFAULT method. The actual random string will be set as cookie, the hash reaches the database. So each page load I check against that.
In addition each hash/pwd goes along with an index so that multiple sessions are possible.



So, any thoughts?

Eeems:
The client side stuff is all handled via JavaScript I assume. What happens if the user has JavaScript disabled (booo)?

Sorunome:
If the user has JS disabled the password will be sent as-presented to the server and will be handled there, the user still gets to log in.

Eeems:

--- Quote from: Sorunome on December 08, 2015, 03:00:15 pm ---If the user has JS disabled the password will be sent as-presented to the server and will be handled there, the user still gets to log in.

--- End quote ---
Sounds good. So it's just more secure to leave JavaScript enabled on the site :P

Sorunome:

--- Quote from: Eeems on December 08, 2015, 03:05:18 pm ---
--- Quote from: Sorunome on December 08, 2015, 03:00:15 pm ---If the user has JS disabled the password will be sent as-presented to the server and will be handled there, the user still gets to log in.

--- End quote ---
Sounds good. So it's just more secure to leave JavaScript enabled on the site :P

--- End quote ---
Exactly, that's the point :P

Navigation

[0] Message Index

[#] Next page