secure authentication method

sgalmeida

Greetings

I'm looking for an article/tutorial/sample/method for a secure authentication method for user login and password.

can anyone give some suggestions?

TIA

Almeida

AstroTeg

Install and use SSL - can't beat it... Then you can use almost any authentication method on top of that.

sgalmeida

Originally posted by AstroTeg
Install and use SSL -

how can I do that? any sample, article?

AstroTeg

SSL has been around for quite a while now. A google search would help out. SSL can be complex if you're not sure what's involved. Also check out SSL providers since they have a lot of documentation on how to install SSL certificates...

sgalmeida

Originally posted by AstroTeg
SSL has been around for quite a while now. A google search would help out. SSL can be complex if you're not sure what's involved. Also check out SSL providers since they have a lot of documentation on how to install SSL certificates...

well SSL auth is out of question, cause there is no budget to it. what I'm searching is a php mysql based auth mechanism done with some careful to prevent hack attacks.

thanks

drawmack

Originally posted by AstroTeg
Install and use SSL - can't beat it... Then you can use almost any authentication method on top of that.

False, falacious and wrong even, your choosen authentication system is definately not secure if is does not conform to the owasp top 10.

AstroTeg

Ah, I was thinking of secure authentication as in securely transfering data (in this case, authentication data) between point A to B.

owasp.org doesn't seem to be comin up.

One might also mention securely storing the data on the server side (not sure if that's in owasp.org or not).

drawmack

it is touched on 😉

AstroTeg

I've seen their top 10 ten PHP security vulnerabilities:

http://www.sklar.com/page/article/owasp-top-ten

But this doesn't address authentication directly.

I did find this:

http://www.cgisecurity.com/owasp/html/ch06.html

Which I'm guessing is what you're referring to.

drawmack

No I'm referring to the owasp top 10, wait for their site to come back up and it's on there. It get's into validation of data, cross site scripting, etc., etc.

AstroTeg

I found this off of sourceforge: http://unc.dl.sourceforge.net/sourceforge/owasp/OWASPWebApplicationSecurityTopTen-Version1.pdf

Under A3.5: "Protecting Credentials in Transit - The only effective technique is to encrypt the entire login transaction using something like SSL. Simple transformations of the password such as hashing it on the client prior to transmission provide little protection as the hashed version can simply be intercepted and retransmitted even though the actual plaintext password is not known."

Granted, its just a tiny puzzle piece in the big picture. I think it may be safe to say there's more than one way to authenticate. Its a matter of selecting what's right for your app and making sure you don't hit any of the pitfals described in the owasp docs.

drawmack

I never said you shouldn't use SSL, you may have read that into my statement. I was simply saying that using SSL does not garentee you're safe. For example you can still be suseptible to XSS attacks even when using SSL.

Yes to have secure transmition of data you have to use SSL or third party encryption outside the browser. However secure data transmition does not make for a secure authentication system. For a secure authentication system you must also ensure that your sessions and/or cookies cannot be highjacked. You must make sure your passwords are secure. There are other bits as well, such as validating data before storing it in the database.

Of course you don't have to believe me: http://www.owasp.org/columns/mcurphey/history.html

Also since they are back on line now: http://www.owasp.org/documentation/topten.html