Page 1 of 1

Remember Me Option

Posted: Wed Mar 22, 2006 2:45 am
by Benjamin
Not sure if this is the best place but it is a security issue.

I am wondering what best practices are for a remember me option on login. Should it keep the user logged in until they log out? Should it extend the login session from say 20 minutes to 24 hours? Should it just remember their Username? Just looking for some opinions.

Posted: Wed Mar 22, 2006 2:50 am
by feyd
The behaviour is often very specific to your needs, so it's hard to say anything really. The only thing I can recommend is requiring their password for them to enter any sensitive areas, such as administrative and possibly their profile data.

Posted: Sun Mar 26, 2006 1:47 pm
by shiflett
I second feyd's remark. It's important to realize that this is one of those situations where usability and security are at odds. Someone who is automatically logged in because of a persistent login ("remember me") cookie should not be considered "logged in" for extremely sensitive actions but rather as a matter of convenience for general, personalized browsing.

These caveats aside, here is an example implementation:

http://phpsecurity.org/code/ch07-3
http://phpsecurity.org/code/ch07-4

Hope that helps.

Posted: Sun Mar 26, 2006 5:20 pm
by s.dot
I stick to remembering usernames (or the likes, email, id, etc) only.

If they value your website its not too much to ask them to log in to protect their privacy. Also, many browsers offer the ability to remember logins.

Posted: Sun Mar 26, 2006 6:17 pm
by josh
My bank goes out of its way to make the browser not able to "remember the password", using some kind of javascript and random names for form fields... pretty smart idea whoever thunk of that

Posted: Sun Mar 26, 2006 6:56 pm
by Chris Corbyn
jshpro2 wrote:My bank goes out of its way to make the browser not able to "remember the password", using some kind of javascript and random names for form fields... pretty smart idea whoever thunk of that
My bank does that too. It's not JavaScript, there's a HTML attribute you can specify in the tags "autocomplete="off"" or something to that effect.

Posted: Mon Mar 27, 2006 4:25 am
by Benjamin
It looks like a majority of you are leaning towards just remembering the username. I guess that is the prudent thing to do. As for the banks, that is a good idea. I'll remember that the next time I build something that needs to be really secure.

Posted: Wed Apr 12, 2006 12:57 pm
by ntbd
My bank is more secure to the point of requring a mensa membership or a scrap of paper to enter your password:

Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.

I will also be copying this method for any realy secure sites, and it seems a good idea for any realy secure areas of a lot of other sites.

For example, enter the 1st and 3rd character of your password to continue to view other members details... etc.

Posted: Wed Apr 12, 2006 1:22 pm
by hawleyjr
ntbd wrote:My bank is more secure to the point of requring a mensa membership or a scrap of paper to enter your password:

Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.

I will also be copying this method for any realy secure sites, and it seems a good idea for any realy secure areas of a lot of other sites.

For example, enter the 1st and 3rd character of your password to continue to view other members details... etc.

Although a novel idea. It may not be the best. (Depending how they did it) By requesting a random character from your password this may mean that your bank stores your password in their database unencrypted.

I guess they could have some table where they hash every character but I'd be surprised to see that... :o

Edit: unencrypted may not have been the correct word but you should get my point :)

Posted: Wed Apr 12, 2006 3:21 pm
by Oren
Dude... chances are that your bank sucks! I'd have left this bank :?

Posted: Wed Apr 12, 2006 4:08 pm
by Roja
ntbd wrote:Asking for the 1st, last and 4th characters from my password (at random) once I have entered my user id and had that stored in a cookie.
I'm shocked if they are actually doing that. Its certainly not more secure.

Passwords have two "angles of attack" - brute force or compromise. We will ignore compromise, because it doesn't matter how complex the password is.. if you give me your password (compromise it) you've lost the security.

That leaves brute force. Brute force is pretty much simple combinatorial math. How many combinations are possible?

By reducing the number of characters entered, they are lowering the brute force possibilities. ATM cards get away with four because its NOT just brute force knowledge of the number - you also have to have the card itself, which holds another set of credentials.

To lower a login to 2-3 characters makes it a trivial attack to brute force. Instead of 8 (or more!) characters, which would take years or longer to brute force, you lower the number of attempts to the range of a few thousand - a desktop computer can brute force that in under a second!

The number of characters, and the complexity of those characters (alpha, numeric, special characters) all increase the multiplier, and anything - ANYTHING - that reduces that makes the result less secure.

The only thing the described system helps with is making passwords repeat less often, but with a salt, thats not a major issue (certainly not one worth degrading other security to obtain!).

Posted: Wed Apr 12, 2006 5:04 pm
by ntbd
In their favour...

You need 5 characters, the password saved must have numbers etc. and id call it pretty bomb proof - even warning you when you login how many un-sucsesful attempts have been made since last login. They are the UK specialist internet branch (firstdirect) of HSBC, so I'd guess they paid some serrious devnet-geek-defeating money for it all! :lol:

Interesting point about the un-encrypted passwords though.

Posted: Wed Apr 12, 2006 6:41 pm
by RobertGonzalez
Nice. I was going to be trying to figure out how to combine an identifier with a salt. Never thought to throw in a token as well. I like the approach.