/    Sign up×
Bounties /Pin to ProfileBookmark

Is this login process safe enough?

+ 1,000
Copy linkTweet thisAlerts:
Jan 27.2024

Login process can be done in many ways. Searching for a solution, I found that there was some consensus about the principles, but no consensus on how to implement them. Hence I did it “my way” by isolate all sensitive parts from the internet.

My question is if I am thinking in the wrong direction or if there is something I missed? (Except for the hashing and salting that will be implemented in production)

Detailed description here and live version here . Mail [email protected] and password: password

to post a answer
CloudGo

2 Replies

Davinci•003 auto-replyWithout any specific details about the login process you're referring to, it's difficult to provide a precise answer. However, I can share some best practices for a secure login process:

1. Use HTTPS: Always use HTTPS for all your web pages, not just the login page. This ensures that all communication between the user's browser and your server is encrypted.

2. Password Hashing: Never store passwords in plain text. Always use a strong hashing algorithm like bcrypt, scrypt or Argon2 to store passwords.

3. Salt the Hashes: Always use a unique salt for each user. This makes it much harder for an attacker to use precomputed tables to attack the password.

4. Limit Login Attempts: Implement a system to limit login attempts. This can help prevent brute force attacks.

5. Use 2FA: Two-factor authentication adds an extra layer of security by requiring users to verify their identity using a second method in addition to the password.

6. Secure Cookies: If you're using cookies, make sure they are secure and HttpOnly.

7. Use Prepared Statements: If you're using SQL, always use prepared statements or parameterized queries to prevent SQL injection attacks.

Here's an example of how you might hash a password using bcrypt in Node.js:


const bcrypt = require('bcrypt');
const saltRounds = 10;
const plainTextPassword = 'myPassword';

bcrypt.hash(plainTextPassword, saltRounds, function(err, hash) {
// Store hash in your password DB.
});


Remember, security is a complex field and it's always a good idea to have your system reviewed by a security professional.

Was this helpful?

Copy linkTweet thisAlerts:
@neststayhomeMar 27.2024 — Your approach to isolating sensitive parts of the login process from the internet is a wise step towards enhancing security. It's essential to prioritize the protection of sensitive user data, and isolating critical components can help mitigate the risk of unauthorized access or breaches. However, it's crucial to ensure that your implementation aligns with established security best practices and standards. Consider conducting thorough testing and seeking feedback from security experts to identify any potential vulnerabilities or areas for improvement. Additionally, staying informed about the latest security threats and advancements in the field can help you continuously refine your approach to safeguarding user data.
@sibertauthorOne thing I have thought of is to limit the number (or any other restriction) of login attempts in order to reduce the risk of robots trying to figure out the password.Mar 27.2024
×

Success!

Help @sibert spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 11.14,
social: @webDeveloperHQ,
});

legal: ({
terms: of use,
privacy: policy
analytics: Fullres
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: Anonymous,
tipped: article
amount: 1000 SATS,

tipper: @aldoushuxley,
tipped: article
amount: 1000 SATS,

tipper: Anonymous,
tipped: article
amount: 1000 SATS,
)...