Automatic login now implemented with unique secure tokens
The last few days has brought about a massive change in how Jetendo CMS handle security for its user accounts.
I previously wrote how we support OpenID login and redesigned the login page
And then I worked hard to implement best practices for encrypted password storage instead of plain text.
Slower to encrypt means slower to attack
It took over an hour of cpu time to hash the 20,000 account passwords. Slow is a good thing when it comes to security. It would usually only take a few seconds to hash that many passwords. It took this long, because I implemented a very high work factor into the hash algorithms. We wanted to prevent anyone from being able to brute force attack the database if it was ever stolen. Numerous bugs were worked out over the next day.
Google's login security features are a source of inspiration
When you login to Google (and many other companies) and tell them to remember your login, it actually stores a new unique token in the cookie instead of your password. So if someone stole your phone or tablet, they don't have your plain text password stored on the device, they just have a token which could only work on that device until you disable it. I used to think they were just storing your password, but fortunately that is not the case. This makes our accounts quite a bit more secure if you lose a device as long as we quickly reset our related passwords. Every independent piece of software / device that logs into Google has a separate unique token.
I wanted to have a solution that is just as good as Google authentication for our software. To do this on Jetendo CMS, I had to redesign our system to have several new features. Before today, we only had 1 record per user. No matter how many computers logged into that account, they all shared the same security information. Now we can store an unlimited number of devices for each account and the token can be individually controlled for each one. If we detect theft or abuse on one token, we don't have to force all of them to logout. I'm also going to place other limits on the tokens which will be configurable in the Server Manager per site. This will let you have some security with less security and others with extreme security.
Past security concerns with automatic login
In the past, the remember password feature stored the user's password in plain text both in the cookie and in the database, which makes the password much easier to steal. The biggest concern with this is when a user has used that password on many different services, it leaves them more vulnerable. If any service they use is compromised, they may all be compromised. I really didn't want our software to become the reason for someone suffering identity theft or financial loss. I think we've done a lot to improve this now, however, it's not perfect without adding SSL encryption.
SSL Encryption is mandatory if you as concerned with the security of your web site
Most of our web sites don't use SSL encryption to transmit data unless they are handling more sensitive information, but it is a good idea for every web site to start using SSL if they have admin / user account features. The password security features I've added to Jetendo CMS will be less effective in stopping security threats if the web site doesn't use SSL encryption. If SSL is enabled though, Jetendo CMS has now become a more secure and competitive solution.
Jetendo CMS will include these features in the free open source project
If your next project requires excellent security, you should check out Jetendo CMS - soon to be available under a free open source license. Being an open source solution, all the code I've written will be open to public scrutiny and this means that we'll have to stay on top of any bugs that users discover in addition to being proactive with testing and planning changes to our security features. Often, the more popular your software becomes, the more people try to hack it.
The login page was updated to look pretty with icons, new CSS styles and much nicer interactivity.
When logging in, Site Manager users will now be prompted with the following screen:
New Jetendo CMS Automatic Login Feature Screenshot
I wanted to improve the security because I plan to offer more ecommerce / security solutions in the future. My company web sites and a few clients do use SSL and I try to do everything possible on them to make them a very nice showcase for what our software can do. I may spend more time later to implement an OpenID server on one of my domains so that all of the non-SSL domains can at least authenticate with an SSL domain. For now, anyone using OpenID with Google, Yahoo and many others, you should realize that they do use SSL to protect your account information, so I recommend that all our customers and Jetendo CMS users switch to using OpenID for logging in to the site or ask us for a quote to setup SSL to protect their sites more.
I might add more features such as strong password requirements, password blacklist, login throttling, IP whitelist and more. There are some excellent ideas out there.
Better security comes from learning from the community
There are some great resources explaining how to implement a very secure login system. I did plenty of research and verification to ensure I was indeed following best practices. I also didn't use any third party code and opted to build this system using my own code. Third party solutions introduce more dependencies and complexity into the project, and I want to keep it simple as possible.
Here are the resources I used so far:
Bookmark & Share
Popular tags on this blogPerformance |
Most Popular Articles
- Mass virtual hosting security tip when using a reverse proxy to connect to other servers
- Solution for MariaDB Field 'xxx' doesn't have a default value
- How to lock Windows immediately upon smart card removal
- Stop using sleep mode with Windows Bitlocker for better security. Learn how to use hibernate in Windows 8.
- Planning a system to visually create responsive data-driven web page layouts & widgets in the Jetendo CMS browser interface
- Is Google Public DNS actually better then your ISP?
- Pros and Cons of CFML vs PHP and other languages
- Run Windows Guest in CentOS 6 Linux Host using Virtualbox 4 via the command line