Protecting User Accounts – Password Management

By Frank Forte

If you develop or manage a website, there are many reasons to take time and protect user data. Consider if your website is hacked:

  • In the case of eCommerce, fraud can be costly to the user and to the website owner.
  • It can cause privacy concerns and damage your brand.
  • It can allow hackers to spread viruses, send spam, and do a lot more damage through your website over long periods of time without you even knowing it.
  • You can be black-listed by search engines and email providers… making your website hard to find and preventing your emails from reaching any users.

Here are some tips to protect user accounts

To store user passwords:
The Password-Based Key Derivation Function, aka PBKDF2, allows you to store passwords securely, so that even if someone hacks into your database, it will be very difficult and time consuming for them to crack and steal passwords. This is important since many people re-use passwords!

To reset user passwords:
1) create a table with user_id, datetime, unique_hash
2) When a user requests to reset their password, create a unique hash, for example sha1(microtime().’random_salt’). Insert that value in the table and send an email to the user with a link that contains the hash.
3) when they click the link, check the table for the hash, if it exists, and it is within a time limit (e.g. 3 hours) let them reset their password. When the password is successfully reset, delete the hash.

To authenticate:
1) have a “password attempts” field that increments each time a login fails. If there are too many attempts (e.g. 10), even the right password should fail.
2) if there is a successful login (only before 10 attempts is reached) then the attempts should be set back to zero (this is also a good time to log the website access, including ip address, time, and user id- keeping track of website access is important in case an account is compromised.)
3) Once locked out, the only way to regain access should be with a password reset, usually done through email.
The above authentication logic thwarts brute force attacks. Even if a computer can try millions of passwords and guess the correct one, by the 11th attempt it will be locked out.

This entry was posted on Tuesday, July 9th, 2013 at 11:43 pm and is filed under Cyber Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.