Remember Me Option
Moderator: General Moderators
Remember Me Option
Not sure if this is the best place but it is a security issue.
I am wondering what best practices are for a remember me option on login. Should it keep the user logged in until they log out? Should it extend the login session from say 20 minutes to 24 hours? Should it just remember their Username? Just looking for some opinions.
I am wondering what best practices are for a remember me option on login. Should it keep the user logged in until they log out? Should it extend the login session from say 20 minutes to 24 hours? Should it just remember their Username? Just looking for some opinions.
I second feyd's remark. It's important to realize that this is one of those situations where usability and security are at odds. Someone who is automatically logged in because of a persistent login ("remember me") cookie should not be considered "logged in" for extremely sensitive actions but rather as a matter of convenience for general, personalized browsing.
These caveats aside, here is an example implementation:
http://phpsecurity.org/code/ch07-3
http://phpsecurity.org/code/ch07-4
Hope that helps.
These caveats aside, here is an example implementation:
http://phpsecurity.org/code/ch07-3
http://phpsecurity.org/code/ch07-4
Hope that helps.
I stick to remembering usernames (or the likes, email, id, etc) only.
If they value your website its not too much to ask them to log in to protect their privacy. Also, many browsers offer the ability to remember logins.
If they value your website its not too much to ask them to log in to protect their privacy. Also, many browsers offer the ability to remember logins.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
My bank does that too. It's not JavaScript, there's a HTML attribute you can specify in the tags "autocomplete="off"" or something to that effect.jshpro2 wrote:My bank goes out of its way to make the browser not able to "remember the password", using some kind of javascript and random names for form fields... pretty smart idea whoever thunk of that
My bank is more secure to the point of requring a mensa membership or a scrap of paper to enter your password:
Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.
I will also be copying this method for any realy secure sites, and it seems a good idea for any realy secure areas of a lot of other sites.
For example, enter the 1st and 3rd character of your password to continue to view other members details... etc.
Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.
I will also be copying this method for any realy secure sites, and it seems a good idea for any realy secure areas of a lot of other sites.
For example, enter the 1st and 3rd character of your password to continue to view other members details... etc.
ntbd wrote:My bank is more secure to the point of requring a mensa membership or a scrap of paper to enter your password:
Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.
I will also be copying this method for any realy secure sites, and it seems a good idea for any realy secure areas of a lot of other sites.
For example, enter the 1st and 3rd character of your password to continue to view other members details... etc.
Although a novel idea. It may not be the best. (Depending how they did it) By requesting a random character from your password this may mean that your bank stores your password in their database unencrypted.
I guess they could have some table where they hash every character but I'd be surprised to see that...
Edit: unencrypted may not have been the correct word but you should get my point
I'm shocked if they are actually doing that. Its certainly not more secure.ntbd wrote:Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.
Passwords have two "angles of attack" - brute force or compromise. We will ignore compromise, because it doesn't matter how complex the password is.. if you give me your password (compromise it) you've lost the security.
That leaves brute force. Brute force is pretty much simple combinatorial math. How many combinations are possible?
By reducing the number of characters entered, they are lowering the brute force possibilities. ATM cards get away with four because its NOT just brute force knowledge of the number - you also have to have the card itself, which holds another set of credentials.
To lower a login to 2-3 characters makes it a trivial attack to brute force. Instead of 8 (or more!) characters, which would take years or longer to brute force, you lower the number of attempts to the range of a few thousand - a desktop computer can brute force that in under a second!
The number of characters, and the complexity of those characters (alpha, numeric, special characters) all increase the multiplier, and anything - ANYTHING - that reduces that makes the result less secure.
The only thing the described system helps with is making passwords repeat less often, but with a salt, thats not a major issue (certainly not one worth degrading other security to obtain!).
In their favour...
You need 5 characters, the password saved must have numbers etc. and id call it pretty bomb proof - even warning you when you login how many un-sucsesful attempts have been made since last login. They are the UK specialist internet branch (firstdirect) of HSBC, so I'd guess they paid some serrious devnet-geek-defeating money for it all!
Interesting point about the un-encrypted passwords though.
You need 5 characters, the password saved must have numbers etc. and id call it pretty bomb proof - even warning you when you login how many un-sucsesful attempts have been made since last login. They are the UK specialist internet branch (firstdirect) of HSBC, so I'd guess they paid some serrious devnet-geek-defeating money for it all!
Interesting point about the un-encrypted passwords though.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA