Are two security keys better than one?

views:

answers:

Are two security keys better than one?

I just implemented a "remember me" feature for a user login on a website. Most advice was to have the userid stored in a cookie, and then have some long, unguessable random key. If both of these match up, the user is considered authenticated.

Does having two strings actually help? Wouldn't a longer key do exactly the same thing?

In other words, aren't two keys equally susceptible to attacks as one longer key? (I imagine it would be the total length of the keys, regardless of how many you have)

Note: There might be some DB query efficiency issues here too, e.g., looking up a big UUID in the DB is not as easy as looking up a small number. (On a tangential note, Gmail uses a six digit number as their one-time login token along with the username.)

+1 A:

I'm no crypto expert, but as long as you check for brute-forcing attempts, you should be able to use a short key (like Gmail's 6 digits). The real vulnerability is people listening when a user logs in (eg. SideJacking).

PiPeep 2009-07-03 01:29:45

Thanks, that's what I'm thinking. With a short key, like gmail's, you probably have to shut the user down after a few failed attempts to login from cookies. But you can't do it using failed attempts in their session, because that can't be trusted... this problem is a slight hassle.

Yar 2009-07-03 09:09:20

+1 A:

In sites I have previously created I made use of a user_id and a salted hash of the user's password. The primary reason I used two fields to authenticate a user is because it saved me the trouble of adding another table (and thus complicating the database design.) With the user_id also being stored in the cookie I could do an indexed look-up in users table and efficiently match the salted hash to the user. Of course you could concatenate both the user_id and the hash into one value and just store that in the cookie.

If you just have a random unguessable string then you would have to have a separate table to associate the random string with a user-id and do another look-up for that particular user.

Patrick Gryciuk 2009-07-03 01:30:41

Thanks Patrick. I thought about that, but then you have no easy server-side way to invalidate persistent sessions...

Yar 2009-07-03 09:10:14

@Daniel Rosenstark You could set the cookie expiry time to whatever you feel is appropriate.

Patrick Gryciuk 2009-07-03 09:16:29

Thanks, but the client can change the cookie expiry time. If it's tamperable it's not to be trusted.

Yar 2009-07-03 13:23:41

+1 A:

Robust discussion of that in this SO thread.

... the user is considered authenticated.

Should probably read authenticated but with limited authoriziation.

Per comment: Somewhat more secure since it's one time use and it's hard to guess. So if the cookie is compromised, the attacker has to act quickly or the token will be invalidated by the legitimate user loging in whereas the userid may not change for a long time.

JP Alioto 2009-07-03 01:36:48

Thanks JP, that came up yesterday on my other question. That question is the reason that I'm asking this one, not the answer to it. Everybody says, "userid and rememberme token"... is that more secure, or just easier?

Yar 2009-07-03 09:12:35

ansaurus

tags:

views:

answers:

Are two security keys better than one?

related questions