Remember Me Option

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Remember Me Option

Post by Benjamin »

Not sure if this is the best place but it is a security issue.

I am wondering what best practices are for a remember me option on login. Should it keep the user logged in until they log out? Should it extend the login session from say 20 minutes to 24 hours? Should it just remember their Username? Just looking for some opinions.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The behaviour is often very specific to your needs, so it's hard to say anything really. The only thing I can recommend is requiring their password for them to enter any sensitive areas, such as administrative and possibly their profile data.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

I second feyd's remark. It's important to realize that this is one of those situations where usability and security are at odds. Someone who is automatically logged in because of a persistent login ("remember me") cookie should not be considered "logged in" for extremely sensitive actions but rather as a matter of convenience for general, personalized browsing.

These caveats aside, here is an example implementation:

http://phpsecurity.org/code/ch07-3
http://phpsecurity.org/code/ch07-4

Hope that helps.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I stick to remembering usernames (or the likes, email, id, etc) only.

If they value your website its not too much to ask them to log in to protect their privacy. Also, many browsers offer the ability to remember logins.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

My bank goes out of its way to make the browser not able to "remember the password", using some kind of javascript and random names for form fields... pretty smart idea whoever thunk of that
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

jshpro2 wrote:My bank goes out of its way to make the browser not able to "remember the password", using some kind of javascript and random names for form fields... pretty smart idea whoever thunk of that
My bank does that too. It's not JavaScript, there's a HTML attribute you can specify in the tags "autocomplete="off"" or something to that effect.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

It looks like a majority of you are leaning towards just remembering the username. I guess that is the prudent thing to do. As for the banks, that is a good idea. I'll remember that the next time I build something that needs to be really secure.
ntbd
Forum Newbie
Posts: 21
Joined: Wed Apr 12, 2006 6:42 am

Post by ntbd »

My bank is more secure to the point of requring a mensa membership or a scrap of paper to enter your password:

Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.

I will also be copying this method for any realy secure sites, and it seems a good idea for any realy secure areas of a lot of other sites.

For example, enter the 1st and 3rd character of your password to continue to view other members details... etc.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

ntbd wrote:My bank is more secure to the point of requring a mensa membership or a scrap of paper to enter your password:

Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.

I will also be copying this method for any realy secure sites, and it seems a good idea for any realy secure areas of a lot of other sites.

For example, enter the 1st and 3rd character of your password to continue to view other members details... etc.

Although a novel idea. It may not be the best. (Depending how they did it) By requesting a random character from your password this may mean that your bank stores your password in their database unencrypted.

I guess they could have some table where they hash every character but I'd be surprised to see that... :o

Edit: unencrypted may not have been the correct word but you should get my point :)
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Dude... chances are that your bank sucks! I'd have left this bank :?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

ntbd wrote:Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.
I'm shocked if they are actually doing that. Its certainly not more secure.

Passwords have two "angles of attack" - brute force or compromise. We will ignore compromise, because it doesn't matter how complex the password is.. if you give me your password (compromise it) you've lost the security.

That leaves brute force. Brute force is pretty much simple combinatorial math. How many combinations are possible?

By reducing the number of characters entered, they are lowering the brute force possibilities. ATM cards get away with four because its NOT just brute force knowledge of the number - you also have to have the card itself, which holds another set of credentials.

To lower a login to 2-3 characters makes it a trivial attack to brute force. Instead of 8 (or more!) characters, which would take years or longer to brute force, you lower the number of attempts to the range of a few thousand - a desktop computer can brute force that in under a second!

The number of characters, and the complexity of those characters (alpha, numeric, special characters) all increase the multiplier, and anything - ANYTHING - that reduces that makes the result less secure.

The only thing the described system helps with is making passwords repeat less often, but with a salt, thats not a major issue (certainly not one worth degrading other security to obtain!).
ntbd
Forum Newbie
Posts: 21
Joined: Wed Apr 12, 2006 6:42 am

Post by ntbd »

In their favour...

You need 5 characters, the password saved must have numbers etc. and id call it pretty bomb proof - even warning you when you login how many un-sucsesful attempts have been made since last login. They are the UK specialist internet branch (firstdirect) of HSBC, so I'd guess they paid some serrious devnet-geek-defeating money for it all! :lol:

Interesting point about the un-encrypted passwords though.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Nice. I was going to be trying to figure out how to combine an identifier with a salt. Never thought to throw in a token as well. I like the approach.
Post Reply