tags:

views:

3368

answers:

12
+13  Q: 

Best practices for login pages?

I am working on a single sign-on login page using Shibboleth that will be used for a variety of web applications. Obviously we would like to make this page as secure and usable as possible while limiting the effects of phishing scams.

What are the best practices to keep in mind when designing a login page?

Some questions that have come up around this issue:

  • Is it important for the login page to always look the same on every display?
  • Conversely, would it be beneficial for the login page to have a random design?
  • Is it better for the login page to look the same as all of your other pages or should it have its own unique design?
  • If the login page has its own unique design, should it incorporate other constant elements from your site's design (such as global navigation)?
  • Is the login page an appropriate place to provide the user with additional content (such as latest news)?
  • Are there any additional security features that should be included to help keep people safe?
+6  A: 

keeping the same design in your login page will let know your users they are attempting to log in to your page if design change randomly user may think the site has been moved, or they are being victims of pishing. so i would recomend to keep the same guidelines as your content pages

Oscar Cabrero  2008-10-28 16:41:47
+4  A: 

One other "no duh" thing that I still see on a lot of applications I go to, if the credentials specified are invalid, do not indicate which one is invalid. Simply say something like "invalid user/password combination" instead of "invalid password" that will prevent those folks from social engineering to know a user base accessing your site.

Dillie-O  2008-10-28 16:46:12
A: 

A useful tip for come circumstances: You can disable client-side password saving by adding autocomplete="off" to the password field.

That doesn't work on all browsers (if I remember, IE 6+ and Firefox 3+)

Luk  2008-10-28 16:48:37
For sites that don't let me save the password I have a nice plain text file containing my passwords. The feature is there for a reason, let me decide to use it or not, don't turn it off just because you can.
tloach  2008-10-28 16:52:44
You don't want to trust your users with saving some of their passwords in cleartext (same as I don't trust some companies with efficiently storing my password) :)
Luk  2008-10-28 21:26:11
+2  A: 

include application level dos prevention

Be non-specific with login failures. A generic "Login failed" instead of "Unknown Username".

Use a captcha or other turing test.

StingyJack  2008-10-28 16:49:11
A: 

Realize that your user is going to spend all of 10 seconds on that page generally, it really doesn't matter what it looks like so long as it is obvious where to put your user ID and password. Other than that just don't be one of those sites that offers to email me my password if I forget it. At least let me believe that it's hidden in a nice salted hash somewhere where you can't retrieve it ever.

tloach  2008-10-28 16:51:09
+4  A: 

No matter what you design, a Phisher will be able to imitate it. Preventing phishing completely is a difficult problem. You will essentially have to have some means of identifying your users before they log in. Some banks do this now. You enter your name, and then they show you an image you yourself have selected, and then, once you are certain it's the same image, you enter your password. This may be a greater level of complexity than what your site requires.

On the technical side, Bank Of America accomplishes this by using a Flash Local Shared Object called PassMark. Your browser silently sends back this data identifying yourself to the Bank. If you delete the LSO, then you will not be shown your image because BofA can't identify you. Even this is still vulnerable to man-in-the-middle attacks.

Omniwombat  2008-10-28 17:13:45
+3  A: 

Seems like a no-brainer, but use HTTPS if the app requires it. Heck, even if it doesn't warrant it because people tend to reuse the same passwords. You can get a SSL cert cheap these days. If they lift a password from your site they can try it elsewhere. Even many banks don't have the login page on a secure line. It posts to an HTTPS page, but there is still no protection of a man in the middle type attack.

I agree with Omniwombat. Phishing is a hard problem to solve well and seemingly impossible to solve it completely.

Chris Kloberdanz  2008-10-28 17:56:25
HTTP is a stateless protocol. If a form is posted to a secure page, the data goes over SSL and is not subject to man-in-the-middle. Having a "secure" login page means nothing more than it was retrieved over a secure connection, and only lulls you into a false sense of security.
Duncan  2010-10-11 07:32:29
+10  A: 

Usability notes:

Personally I hate when sites put the "forgot password" or "forgot username" or "help" links inbetween the password field, and the Login button. As a keyboard user, I shouldn't have to TAB over them to get to the submit button.

Better yet, also capture the Enter keypress on the password field so that I can auto-submit with the Enter key.

scunliffe  2008-10-28 18:07:19
A: 

The best i've seen so far in an attempt to stop phishing is a bank's login interface. The login is done in 3 parts, first the user enters their account number (debit card number, credit card number...), the second step will randomly list 1 of 3 questions specified by a user (eg: What highschool did you attend for grade 10), the last part, if the first two are successful is to display an image and some text specified by the user at sign up, with the password field below.

Matt R  2008-10-28 18:16:24
A: 

@Joe Lencioni, and everyone else interested in Shibboleth

Your site pages should have the overall same look and feel on each page.

Regarding Shibboleth, and SSO. It is important to note which role your organization is associated with. Are you an Identity Provider - IdP (authenticating the user and then sending the response to the SP), or are you the Service Provider - SP (who will grant authentication based on the response and attributes sent by the IdP.

If you are a SP, you have whatever flexibility you desire to link your users to an IdP for them to login. Many SP create their own WAYF (Where Are You From) page that will redirect the user to the login page of the IdP.

If you are an IdP, you should have a login page that looks familiar to the user so they can login and then be redirected to the SP with the attributes that are needed for the SP to grant proper access.

As far as phishing scams go, it is important to keep Shibboleth metadata current. I believe many Federations recommend downloading metadata every (1) hour.

Many Shibboleth questions can be answered here: https://spaces.internet2.edu/display/SHIB2/Home

Hope this helps you out.

tidychaos  2009-04-10 15:10:41
+3  A: 

Smashing Magazine has pretty complete round-up about login forms. Web Form Design Patterns: Sign-Up Forms

Murmelschlurmel  2009-04-15 20:33:37
+1  A: 

Think like a user as well as a security guard: if you make them do a captcha every time to login, they're going to get pretty sick of it.

If you're trying to prevent Denial of Service, then maybe make a captcha appear only after there are enough (failed?) login attempts in a certain time period.

Consider using NTLM, OpenID, or Shibboleth to make login as automatic as possible for most users.

Don't make people go to a separate page to register. Presumably you will have username and password fields, and a login/submit button. Just add a "register as new user" button as well, so that new users can use the existing username/password fields. If you need to collect additional details for new users, popup a form (using DHTML, not a popup window) to collect them.

John  2010-01-12 09:34:38

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security