Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Website Security

  • This topic is empty.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • July 31, 2014 at 11:09 pm #177163
    James Burton
    Participant

    Hello,

    I building a custom login system and I would like to know if the list below is good security?

    1. Username and Password are hash (SHA256) and salted (up to 100 times)
    2. Firstname, Lastname, Email and etc are encrypted with up to 4096bit RSA or 384bit ECC Key.
    3. Encryption keys are stored onto a HSM (Hardware Security Module)
    4. User Data is stored onto a different server and only VPN communications are allowed.
    5. Login form has a login token and 10 min expire key
    6. Someone can’t use the login form until after a hour if they try more than 10 login trieds
    7. Always on SSL (From login to signout)
    8. Detect hacking and block ip address for up to 30 mins
    9. Detect SQL Injection or XSS Injection and block ip address for up to 30 mins
    10. On the login form have extra input box to stop robots
    1. Validation of all user input
    2. Check password to see if weak and if weak password than the account can’t be a admin or verified user.
    3. Check username from a list of easy username like Admin, User.
    4. Pen-Test Server and Login System

    This is only a example of my login not the actual login system.

    James Burton

    August 1, 2014 at 12:57 am #177167
    __
    Participant

    Username and Password are hash (SHA256) and salted (up to 100 times)

    Sounds good.

    Firstname, Lastname, Email and etc are encrypted with up to 4096bit RSA or 384bit ECC Key.
    Encryption keys are stored onto a HSM (Hardware Security Module)

    Not sure why you’d need to encrypt these…? If you have a need, then of course, good. Otherwise, it’s just processing overhead. In most cases, I’d imagine this would be overkill.

    User Data is stored onto a different server and only VPN communications are allowed.
    Login form has a login token and 10 min expire key

    Always good.

    Someone can’t use the login form until after a hour if they try more than 10 login trieds

    This is fairly easy for an attacker to get around. It’s likely to be more of an annoyance for legitimate users that have forgotten their password. It might be better to ask if they need help instead, and/or add a second factor for authorization (e.g., require they use a temporary code you email to them).

    Always on SSL (From login to signout)

    EXCELLENT

    Detect hacking and block ip address for up to 30 mins
    Detect SQL Injection or XSS Injection and block ip address for up to 30 mins
    On the login form have extra input box to stop robots

    How are you “detecting” these things?
    Also, keep in mind that IP blocking will often block legitimate users, since ISPs typically use dynamic IP addresses for their users.

    (This, along with locking out failed login attempts, is actually a method of attack: the attacker will do {whatever your site considers “hacking”} while using a proxy IP that is commonly used by your users. This can quickly make your site inaccessible for large blocks of your legitimate users.)

    Validation of all user input
    Check password to see if weak and if weak password than the account can’t be a admin or verified user.
    Check username from a list of easy username like Admin, User.

    Good. Again, how are you actually doing this? What is a “Weak” password? (and why would you allow a “weak” password at all, even for a non-admin account?)

    Pen-Test Server and Login System

    Meaning you have/ are going to hire someone to do a pentest? Awesome… but expensive. I’d weigh this against your actual need and risk. A thorough code review would be more practical in most cases. But hey, more power to you!

    August 1, 2014 at 1:26 am #177171
    James Burton
    Participant

    Hello @un-traq-ed or @traq

    Thank you for your comments.

    I created an algorithm to detect SQL or XSS Injection code in my validation library.

    About the passwords

    A weak password is 8 digits long with only number and letters (Lower and upper CASE)

    A good password is more than 8 digits long with a mixed of special characters, upper and lower case letters and numbers.

    A excellent password is more than 12 digits long with a mixed of 2 special characters, upper and lower case letters and numbers.

    Two factor authentication is going to be in the login system as will.

    About the code review I need someone who know I lot about JAVA (Cryptography, Servlets, JSP, Algorithms and etc)

    I use PHP for the WSDL and Validation as will.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • The forum ‘Other’ is closed to new topics and replies.