Increase security of login

tdewolff / Dex

Small but feature-rich CMS for small and medium sized websites

MIT License

2 stars 2 forks source link

Increase security of login #23

Closed tdewolff closed 10 years ago

tdewolff commented 10 years ago

Protect login from outside requests (no referrer), block bruteforce attacks etc.

s-p-n commented 10 years ago

Agreed.. Would like to see more detail on this, though.

tdewolff commented 10 years ago

Ensure HTTPS when logging in
Make sure passwords have minimum length (and perhaps complexity, but length is more important)
When POSTing to login form, make sure referrer is the login form (ie. it is not posted from elsewhere, this is easy to circumvent though, but doesn't harm)
Temporarily prohibit login after several tries within a timespan

tdewolff commented 10 years ago

Password minimum length and complexity implemented but commented out untill Dex is ready for release. Forms have a nonce to ensure form submitting is not from external source. Bruteforce table will prevent too many login or recover attempts within short time