Automatic login now implemented with unique secure tokens

Wed, Feb 27, 2013 at 2:25AM

The last few days has brought about a massive change in how Jetendo CMS handle security for its user accounts.

I previously wrote how we support OpenID login and redesigned the login page

And then I worked hard to implement best practices for encrypted password storage instead of plain text.

Slower to encrypt means slower to attack

It took over an hour of cpu time to hash the 20,000 account passwords. Slow is a good thing when it comes to security.  It would usually only take a few seconds to hash that many passwords. It took this long, because I implemented a very high work factor into the hash algorithms.  We wanted to prevent anyone from being able to brute force attack the database if it was ever stolen. Numerous bugs were worked out over the next day.

Google's login security features are a source of inspiration

When you login to Google (and many other companies) and tell them to remember your login, it actually stores a new unique token in the cookie instead of your password. So if someone stole your phone or tablet, they don't have your plain text password stored on the device, they just have a token which could only work on that device until you disable it. I used to think they were just storing your password, but fortunately that is not the case. This makes our accounts quite a bit more secure if you lose a device as long as we quickly reset our related passwords. Every independent piece of software / device that logs into Google has a separate unique token.

I wanted to have a solution that is just as good as Google authentication for our software. To do this on Jetendo CMS, I had to redesign our system to have several new features. Before today, we only had 1 record per user. No matter how many computers logged into that account, they all shared the same security information. Now we can store an unlimited number of devices for each account and the token can be individually controlled for each one.  If we detect theft or abuse on one token, we don't have to force all of them to logout.  I'm also going to place other limits on the tokens which will be configurable in the Server Manager per site.  This will let you have some security with less security and others with extreme security.

Past security concerns with automatic login

In the past, the remember password feature stored the user's password in plain text both in the cookie and in the database, which makes the password much easier to steal. The biggest concern with this is when a user has used that password on many different services, it leaves them more vulnerable. If any service they use is compromised, they may all be compromised. I really didn't want our software to become the reason for someone suffering identity theft or financial loss.  I think we've done a lot to improve this now, however, it's not perfect without adding SSL encryption.

SSL Encryption is mandatory if you as concerned with the security of your web site

Most of our web sites don't use SSL encryption to transmit data unless they are handling more sensitive information, but it is a good idea for every web site to start using SSL if they have admin / user account features. The password security features I've added to Jetendo CMS will be less effective in stopping security threats if the web site doesn't use SSL encryption. If SSL is enabled though, Jetendo CMS has now become a more secure and competitive solution.

Jetendo CMS will include these features in the free open source project

If your next project requires excellent security, you should check out Jetendo CMS - soon to be available under a free open source license. Being an open source solution, all the code I've written will be open to public scrutiny and this means that we'll have to stay on top of any bugs that users discover in addition to being proactive with testing and planning changes to our security features. Often, the more popular your software becomes, the more people try to hack it.

The login page was updated to look pretty with icons, new CSS styles and much nicer interactivity.

When logging in, Site Manager users will now be prompted with the following screen:

New Jetendo CMS Automatic Login Feature Screenshot

Automatic login prompt 

Future Plans

I wanted to improve the security because I plan to offer more ecommerce / security solutions in the future. My company web sites and a few clients do use SSL and I try to do everything possible on them to make them a very nice showcase for what our software can do. I may spend more time later to implement an OpenID server on one of my domains so that all of the non-SSL domains can at least authenticate with an SSL domain. For now, anyone using OpenID with Google, Yahoo and many others, you should realize that they do use SSL to protect your account information, so I recommend that all our customers and Jetendo CMS users switch to using OpenID for logging in to the site or ask us for a quote to setup SSL to protect their sites more.

I might add more features such as strong password requirements, password blacklist, login throttling, IP whitelist and more.  There are some excellent ideas out there.

Better security comes from learning from the community

There are some great resources explaining how to implement a very secure login system. I did plenty of research and verification to ensure I was indeed following best practices. I also didn't use any third party code and opted to build this system using my own code. Third party solutions introduce more dependencies and complexity into the project, and I want to keep it simple as possible.

Here are the resources I used so far:

Bookmark & Share