Ideas for Internet Login Security
I think one rather easy way to improve security would be to make it so hackers or crackers have no idea what login name to use to access a particular person's account. People could have a display name which is known to the public, and a private login name, which should be as secret as their password, as well as changeable.
This way, if, for instance, a cracker decided they wanted to crack a particular person's PayPal account, they wouldn't be able to just put in that person's email address and keep guessing passwords. The cracker wouldn't even be able to get that far, because they wouldn't even have a clue what login name to use to crack that exact person's account.
And, if someone's login name was accidentally found out, no problem, because that person could change their login name anytime they wanted, as easily as changing their password.
Another security feature websites probably ought to have is only permit a certain number of login attempts per hour, or maybe even per day, or some other length of time, for any IP address trying to log into a certain account. Too many failures in a row is a potential indication that someone is trying to crack the account. The amount of time for that IP to be blocked should be renewed upon each failed attempt.
What would be even more devious than just blocking the IP (and cluing the cracker in that no further cracking attempts are possible with that IP adddress) would be to give no indication that login attempts from that IP address are now being refused, and just keep logging each attempt, without giving any indication that the system is refusing to acknowledge the entry of even a correct password for that account from that IP address any longer.
So, even if a cracker manages to stumble onto a correct password, they will be given no indication that they have, and they will be encouraged to continue wasting their time.
Websites could also track whether a particular IP address is trying to log into numerous different accounts on the website, and either block that IP (at least temporarily), or use the foregoing more devious tactic of seeming to permit login attempts but in fact just logging them and refusing to acknowledge even correct passwords without giving any indication of that this is being done.
And, websites could track whether numerous IP addresses keep trying to log into the same account, and after too much of that, keep logging the login attempts and temporarily refuse to acknowledge correct passwords from any IP address without giving any indication that this is being done.
You could provide phony MySQL and PHP error messages or other things to make naive crackers think their attempted SQL injection attacks are really working.
Making your site appear to have no idea what it's doing when it comes to security, but in fact being fiendishly devious, is a tactic to consider.
You could even make a phony login possible, to trick a cracker into thinking they were successful, and then log everything they do after that. You could also make the phony account and random password persistent, so if the cracker wants to make self-incriminating return visits to that phony account, they can.
Users, when logged in, could be presented with the logs of any login attempts, complete with IP addresses, exact dates and times, and the passwords entered.
So, if anyone is trying to crack a user's account, or if there actually have been any successful logins by IP addresses that don't belong to the user, or a cracker has actually entered the correct password while their logins were being blocked, the user will know about it, and will be able to change their login name and/or password.
Users could also be given the option of selecting one IP address (or more), or an IP range, to be the only IP address(es) permitted to successfully log into their account. There would probably have to be a way for the user to deactivate this filter from any IP address, though, in case a person ever loses access to their static IP address, or changes internet service providers and forgets to update their account's permitted IP addresses.
Websites should not be too helpfully informative about what accounts exist or not. Any login attempt should provide no indication of whether the login name put in is actually not in use - by default, every login attempt might as well act if there's something there to be cracked.
Also, the password reset and login name reset systems should give no indication that someone's email address doesn't exist in the system. It should just say something like, "Please check your email for instructions on how to reset your password" (or login name).
Naturally, numerous password or login name reset requests from the same IP address shouldn't be permitted, so the account owner won't get bombarded with email. The account owner could be given the option of blocking certain IPs from ever having their spurious reset requests acted upon.
Possibly, the login name reset system and the reset password system should be separate. Resetting both the login name and the password for an email address at once should maybe not be easy. The login name reset system should require the password, and the password reset system should require the login name.
Users should never use the same passwords or private login names on different websites and other internet accounts, and should be encouraged not to. For answers to any website security questions (like "What is your mother's maiden name?"), users should be encouraged to put in random nonsense or untrue answers, rather than true answers or answers which make sense.
Users should also be encouraged to not log into their accounts from a public computer or any other computer they don't trust, since there could be some kind of keylogger program installed on that computer which captures any text which is typed and could steal their password and login name.
Some other ideas:
- A login system where, any time you try to log in, one random security question (one of a set) would come up which would require an answer. Ideally, the answer assigned to that question by the owner of that account would have no relationship to the question at all and would itself be much like a password.
This set-up would almost be like having two different passwords on one account. The chances that a cracker would get both the password and the security question right would probably be less than the chance of a cracker getting a password alone right. Having a secret login name (instead of a publicly-known login name) on top of that would be almost like having three passwords.
- Accounts with passwords which change depending on the time of day, or what day it is, or the moon phase, or the current temperature in Dallas, Texas, or something... :-)