Skip to content
March 5, 2014 / binidas

Securing your site

Following few steps below to ensure your website is as secure as possible. There are no complete fool proof solution to it, however ensuring some best practices can help intruder to fiddle with you customers account and harm your website.

Security

1. Use TLS/SSL on the website to provide secure https channel for communication between the client and server.

2. Use PBKDF2  or Bcrypt hashing function to store password. These functions have multiple interations on hashing which slows down the hacker. SHA and md hashing algorithm is supposed to be efficient at performance and hence susceptible to be hacked.

3. Cross Site Request Forgery – Add CSRF token on every web page to prevent hackers repost the request with pre-authenticated  auth cookie with little social engineering on the site you are accessing.

Few others from – https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

Account/Password Policy

1. Account disclosure – Do not reveal if user account exist in the system. Validation error message on login and forgot password page should state either username and / or password doesn’t match.

2. Brute force protection – lock the account after 3 or 5 attempt to login.

3. Enforce strong credential – password hint should state only minimum character and not maximum characters. Example, “password should be between 6 to 10 character ” is wrong. “Password should have minimum 6 characters”.

4. Never email password instead provide link to password reset token with time limit on the link.

5. You may use CAPTCHA to prevent automating the process of hacking

6. Providing a god secrect question is important , follow on http://goodsecurityquestions.com/ (Ref- paypal secret question). Ensure to secure hash the secret question and answer as you do for password.

7. Use 2 factor authentication for password reset either by RSA SecureID or using SMS (see how google does 2FA. Fisrt it sends url to email with unique generated token, when user clicks on link it will then send code via SMS to you registered mobile. It will then redirect to password reset page). Not a fool proof if you lose your smart phone.

8. Notify the owner for password change.

9. Log every action of the account.

Thanks Troy Hunt for this beautiful flow chart.

Password-Reset5

References –

http://www.troyhunt.com/2014/02/the-tesco-hack-heres-how-it-probably.html?m=1

http://goodsecurityquestions.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: