MarK (CZ) wrote:I must be totally ignorant of the things or I don't know these terms.
You may already know them, but have different terms for them. Vocabulary is often tricky in technology. I generally use Information Security phrasing, since its my day job.
But I'll explain each a tiny bit:
1.
Strong password requirements - More than 6 characters, use non-alpha-chars, etc. Passwords change regularly.
2.
No cleartext passing of authentication tokens - For a login box, use javascript to hash (sha256) the password before sending it. (ie, don't send "password" in cleartext to the server).
3.
No cleartext storage of authentication tokens - For logins, don't have a db column named "password" that in fact stores the plain-text version of the password. Ideally, use a hash of it instead (like sha256).
4.
One-time pad/hashing - When a user goes to login, send him a one-time random number. Thats called a one-time pad. Hash that pad AND the hash of their password and send THAT. The server can do the same thing, and then that same token can't be reused later (because its only used once - one-time).
5.
Unique user checking - make sure you dont have two identical users. Easier than it sounds, and it sounds pretty darned easy. Sadly, few systems check for it.
6.
Session ID regeneration for key events (password change, etc) - Make sure to regenerate a session_id when the user status changes. This helps reduce brute-force session attacks, and session replay attacks.
MarK (CZ) wrote:
Either way it's not very good

I always thought that my scripts are somehow secure with all the user-input checking etc but this makes me doubt...
Secure is 100% relative. There is no "absolutely secure" in any sense. So, it may be "secure enough" for a simple website, or "secure enough" for a simple shopping cart online, or it might even be "secure enough" for an international bank routing system.
It just depends on the definition and the needs.
MarK (CZ) wrote:Do you know about some well-made tutorial on these? Thanks again
As a matter of fact, I've been working on one for Sitepoint, which I haven't submitted yet. When I do, I'll post about it, for sure.