Filed under: security

Login Issues

The other day at office, there was some general talk on how people get some really retarded ideas when it comes to making a login process really secure. The particular feature that was in focus concerned the idea of temporarily deactivating a person's login after 3 unsuccessful tries. The simple issue with this method is thus: any one, can deactivate your account if he knows your user-id by making 3 unsuccessful log in attempts using incorrect passwords. This can make life hell for you. So, what are the possible work-arounds? Well, take a look at the core issue that you are trying to address by deactivating accounts after 3 unsuccessful login attempts. I think the core issue is to make it difficult for the person/bot who is trying to login, in case of 3 unsuccessful attempts. Now, try and understand this: the person or bot may not be the actual user himself. So the locality of the issue and its solution should be at the client side of the application where the login attempts are being made, not at the data level where the respective user information is being stored. In a nutshell, make it difficult for the person who is logging in by creating trouble at the UI not by completely deactivating the account itself from the DB.

Read the rest of this post »