What security precautions should we take when creating a login page?
First and foremost, in ASP.NET it is important to use the built-in Forms Authentication rather than rolling your own authentication framework. This gives you plenty of flexibility in constructing your login routines and you can still rely on the sophisticated authorization features provided by the ASP.NET framework.
Also, if you are using ASP.NET 2.0, Forms Authentication has been greatly enhanced by providing a number of ready-made user controls for user logins, password recovery and new user creation. Pre-existing user databases and login routines have been created for Microsoft Access and Microsoft SQL Server, and other user data sources can be created by implementing your own Membership and Role Providers. Relying on these built-in framework capabilities reduces the amount of code that has to be written, decreases implementation time, and helps reduce the number of security flaws in your applications.
Next, be sure to run your login routines over HTTPS. This prevents malicious attackers from observing or modifying login traffic that would reveal sensitive username and password information.
When designing an authentication scheme, you also want to make sure you are requiring the right credentials. The standard username/password authentication scheme has its flaws, but it is probably not going away any time soon. However, you should be careful not to use semi-public information such as Social Security numbers or driver license numbers for usernames. These are too easy to guess or steal and can lead to brute force attacks. You should also require some form of strong passwords. Preferably, passwords will be of arbitrary length and require alphabetic, numeric and special characters. This makes them difficult to guess. Although, if you allow special characters, take care that these characters don't open your application up to injection attacks.
If you have to implement your own username and password verification routines (for example if you are using ASP.NET 1.1 or if you are creating custom Providers in ASP.NET 2.0), be sure to follow standard secure coding practices. All user input should be assumed to be evil and not to be trusted. You should have set policies for what characters are acceptable for usernames and passwords and user-supplied credentials should be positively validated to match these patterns rather than just being checked for known "bad" characters. Watch for potential injection attacks against data stores such as databases or LDAP directories -- use stored procedures or parameterized queries.
Given the authentication and authorization capabilities built in to the ASP.NET platform, it is easier than ever to create secure login pages. By following some simple guidelines you should be able to reduce your attack surface and increase the security of your application.
- Forms authentication differences in ASP.NET 2.0
- Learning Guide: Developing secure .NET applications
- OWASP guide to building secure Web applications and Web services: Authentication