preface

When you learn to write programs, the first line of code is hello World. But when you start learning about WEB backend technology, many people’s first feature is written login (whisper: I don’t know anyone else, but I am).

However, when I interviewed or communicated with many students with short work experience, I found that many students wrote on their resumes that they were responsible for the development and design of the login/registration function module of the project. However, all of them simply implemented the functional logic, and did not consider too much in terms of security.

The purpose of this article is to talk about what we need to consider when designing a login interface, not only in terms of functional implementation, but also in terms of security.

Brute force

As long as the website is exposed to the public network, it is very likely to be targeted, try to blow up this simple and effective way.

After obtaining the user name of the site through various means, the program is written to traverse all possible passwords until it finds the correct one

So how do we prevent that?

Captcha scheme

Smart students think of it, I can reach a certain number of password error, increase the verification code check! For example, when the user’s password error reaches three times, the user needs to enter the picture verification code to continue the login operation.

Pain points

This does filter out some illegal attacks, but with current OCR technology, ordinary image captchas are not very effective at preventing bots (and we’re at a disadvantage here).

Of course, we can also spend money to buy a verification scheme like sliding verification provided by the third party company, but it is not 100% secure and can be cracked as well (painful lesson).

Login restriction scheme

At that time, some students said, I can directly limit the login operation of abnormal users, when its password error reaches a certain number of times, directly reject the user’s login, and then recover after a period of time.

For example, if the number of login errors of an account reaches 10, all login operations of the account will be rejected within 5 minutes.

Pain points

Emm, which does solve the problem of user passwords being blown up. However, this will bring another risk: although the attacker can not get the website user information, but it can make our website all users can not log in!

All an attacker needs to do is loop through all the user names (or even if they don’t exist, randomly) to log in, and those users will be locked forever, preventing normal users from logging in!

IP limiting scheme

If it’s not possible to target the user name directly, we can target the IP address and seal the attacker’s IP address.

You can set a certain IP address to disable login operations when the number of login interface failures reaches a certain number.

Pain points

In this way, the problem can be solved to some extent. In fact, many traffic limiting operations are carried out for IP addresses. For example, niginx’s traffic limiting module can limit the number of accesses per IP address in a unit time. But here’s the problem:

  • For example, many schools and companies use the same export IP address. If you restrict users by IP address, other normal users may be killed by mistake
  • With so many VPNS, attackers can switch VPNS to attack after IP is blocked

Mobile phone Authentication scheme

Isn’t there a better way to prevent it? B: of course. We can see that in recent years, almost all apps allow users to bind to their phones.

One is the country’s real name system policy requirements, the second is that the mobile phone is basically the same as the ID card, basically can represent a person’s identity identification.

So a lot of security operations are based on mobile phone authentication, login can also be done.

Brute force cracking summary

We combine the above methods with the verification mode of mobile phone verification code, which can basically prevent a considerable number of malicious attackers.

But no system is absolutely secure, we can only increase the cost of the attack as much as possible. You can choose the right strategy according to the actual situation of your website.

Man-in-the-middle attack

What is a man-in-the-middle attack

Man-in-the-middle attack: Abbreviated to MITM: During the communication of A and B, the attacker obtains or modifies the communication of A and B by means of sniffing, intercepting, etc.

For example: small white to small yellow express, on the way through the express point A, black is hiding in the express point A, or simply open A express point B to pretend to be A express point. Then secretly opened xiao Bai to Xiao Huang’s express, see what things there. You can even leave xiaobai’s package and send it to Xiaobai by yourself.

In the login process, if the attacker sniffs the login request sent from the client to the server, it can easily obtain the user name and password.

HTTPS scheme

The simplest and most effective way to prevent man-in-the-middle attacks is to change HTTPS to force HTTPS for all HTTP requests on a website.

HTTPS adds SSL/TLS to HTTP and TCP to ensure secure data transmission. Compared with HTTP, HTTPS has the following characteristics:

  • Content encryption
  • Data integrity
  • The authentication

Encrypted transmission scheme

In addition to HTTPS, we can manually encrypt the transfer of sensitive data:

  • User names can be asymmetric encrypted on the client side and decrypted on the server side
  • The password can be transmitted after MD5 is performed on the client to prevent plaintext password exposure

Extension of thinking

Think about some safety scenarios at work, such as:

  • The operation log: Logs (including IP addresses and devices) are required for each user login and sensitive operations.
  • Abnormal operation or login notification: With the above operation logs, we can make risk warnings based on logs. For example, users can be reminded by SMS when they log in abnormally, change their passwords, or log in abnormally
  • Reject weak passwords: Do not allow users to set weak passwords when registering or changing passwords
  • Prevent the user name from being traversed: Some sites in the registration, after entering the user name, will prompt whether the user name exists. There is a risk that all the usernames of the site will be exposed (traversing the interface) and there will need to be interactive or logical restrictions…

conclusion

Now the country is constantly issued a variety of laws, more and more attention to user data. As developers, we also need to do more to protect user data and user privacy. Juejin. Im/post / 685921…

Follow wechat public account: IT elder brother

Java actual combat project video tutorial: you can get 200G, 27 sets of actual combat project video tutorial

Reply: Java learning route, you can get the latest and most complete a learning roadmap

Re: Java ebooks, get 13 must-read books for top programmers

Java foundation, Java Web, JavaEE all tutorials, including Spring Boot, etc

Reply: Resume template, you can get 100 beautiful resumes