Basic advice needed for login methods/security

jennyp

I'm just starting to develop a PHP/MySQL-based login system for a website, and being quite new to this side of things I'm looking for some advice on methods, with some measure of security in mind.

The guide on this link seems straightforward enough (and not too difficult!), though there is a more security-conscious guide - involving more complex coding - at this link.

How paranoid should I be? Is it likely that someone may actually try to "sniff the network traffic" and so on?

I'd be very grateful for any basic pointers, rules of thumb or trusted tutorials. Many thanks!

etully

Is it likely that someone may actually try to "sniff the network traffic"

That is an excellent question. It's an excellent question because most "experts" answer the question wrong. They picture some hacker, sitting in a far off location, somehow floating around the Internet, wasting his time reading other people's Internet traffic as it flows from Chicago to New York - and they figure that that scenario would be so useless that nobody would ever do it. And they'd be right, nobody would ever do that.

But that's not how sniffing really happens in the real world. It happens one of two ways: First of all, an ISP in Chicago might hire some kid for $10/hour to intern at their ISP - he installs a sniffer that is intelligent enough to look for certain words like "username" or "password" or 16 digit numbers near numbers in the form: mm/yy.

The other way sniffing happens is from your IT department. You get a nice job, the company tells you they have a good Internet connection and they'll maintain your computer for you. And you surf ESPN at lunch and everyone's happy. Unfortunately, that IT department can watch everything you send - minus the SSL encrypted traffic of course. And if you think they don't watch, just try surfing some porn and see how fast they visit your desk. They have automated monitors that check traffic and alert them. They can easily put in monitors for phrases like "username" near the word "password".

So yes, it's 1000 times more common than you think. Learn to program as if you were protecting extremely important stuff, that way you'll get in good habits. If you learn bad habits, then you will use them on the important stuff too. And that'll get you sued.

Here's my best two pieces of advice:

First: Assume that the guy sitting next to you is going to get fired tomorrow. He will have seen (and may even have a copy of) all your PHP scripts. Write the code in such a way that it doesn't matter if he can see exactly how your wrote your PHP scripts.

Second: Assume that hackers are willing to spend 80 hours on cracking your site. Don't write in such a way that you are only protecting yourself against the average idiot. Don't say, "Well, this is confusing enough so that nobody could figure this out in forty five minutes - it'll protect against 99.99% of the public". You'll be right, 9999 out of 10,000 people will be kept out - but that remaining one person will cause you $400,000 in lost revenues.

jennyp

Thank you for that advice. I'm sure you're right to "err on the side of caution" -- as you say, it only takes one malicious attempt to make things totally regretful.

So - what might the rules of thumb be for login routines? Record the session id in a database, and use an ip check against sniffing, as in the second script link? What else?

I feel that someone will remind me that nothing's totally secure, but would these measures be "sufficient"?

laserlight

So - what might the rules of thumb be for login routines? Record the session id in a database, and use an ip check against sniffing, as in the second script link? What else?

I feel that someone will remind me that nothing's totally secure, but would these measures be "sufficient"?

Nothing is totally secure, but you can make things secure enough. The question would then be what are your requirements. For example, is this supposed to be developed for a mass market where users may be running on shared hosting? What are the consequences if your data is intercepted in transit? The IP address check is not good enough to protect against sniffing. As etully pointed out, you will need SSL/TLS for that.

jennyp

This will run on shared hosting, at least for its inception. It's really just a community website - no particularly sensitive information will be held, but, I'm aware how the common practice is for people to use the same password for all sorts of sites, so I'd prefer to give them a decent measure of security. Only recently I saw a dating site that had been hacked - it was urgently telling its members to change their passwords - I'd like to avoid that as much as possible. But otherwise it's no big deal. Martin Tsachev who wrote the second link seemed to think an ip check would "eliminate" network sniffing in his routines.

Maybe I guess I'm looking for the basic "do's" and "don'ts" so that I can build a login/remember login process that has what I'd imagine a decent attempt at security.

I saw the first link as a kind of "basic" and Tsachev's second as a better attempt. Maybe there's a great tutorial out there that I haven't found yet. :o

Thanks for helping.

NogDog

It's a bit pricey for its size, but there is a lot of good information in Essential PHP Security by Chris Shiflett.