4

Well, on my free time, I'm making this small web site. The site will not require to authenticate, only some actions (like leaving a comment) will require to do so.

I would expect to have up to 100 (probably less) unique visitors a day. I don't really expect more than 50% to (bother to) register.

Right now, I'm thinking of three possible authentication mechanisms (but I'm open to suggestions):

  • OpenID authentication;
  • HTTP Digest or at least HTTP Basic authentication;
  • My own (form based) authentication.

OpenID seems to me a little bit of an overkill for a small site like this. Also, buzzword like "OpenID" on the login page of my site might scare away the less tech-savvy people.

HTTP Digest (or Basic) authentication provides a low security level (or none at all), because the site will not be under HTTPS.

My own implementation would, most likely, suffer the same security problems as the HTTP Digest would. Although, I could implement some more protection against brute-force attacks (display a captcha after three failures etc).

What other mechanisms would you suggest? What are the pros and cons that I'm not seeing? What would you choose?

Paulius
  • 5,609
  • 7
  • 39
  • 47

10 Answers10

4

Well, if you want your visitors to leave comments I really think you're better of with something like OpenID. Because if you provide your own form based authentication who will really bother registering yet another account with some password wondering if they can trust you?

I think it's safe to say that people who like the internet own a gmail account, and all those people have an OpenID (Google account).

I suggest you use that... that's what I would do.

John Leidegren
  • 56,169
  • 16
  • 118
  • 148
  • Yeah, that's another question I should probably ask... How many non-programmers really know or at least heard of OpenID. I don't want to scare away less tech-savvy people from my site... – Paulius Feb 18 '09 at 12:53
  • How many of your typical visitors, even if they know of OpenID, have an account somewhere where you could interact with an OpenID mechanism? OpenID is a "gravy" service you layer over your own auth. – alphadogg Feb 18 '09 at 13:03
  • There are quite a lot of people who think StackOverflow should not use OpenID as it is too cumbersome, so imagine for non-tech people ... – Guillaume Feb 18 '09 at 13:09
  • Well I'm all for it. If non tech-savvy people don't get it, it's just a matter of time until they will. OpenID is great, it's a step in the right direction. For the record I didn't know about OpenID until I read about it on Hanselman's blog and I guess that's where stack overflow learned about it... – John Leidegren Feb 18 '09 at 13:21
  • Would it be hard to implement OpenID AND some other method on the same site? Like, if you have an openid - login using that, if you don't, or if you want a separate account - you can create one... would that be hard to implement? Is it already implemented anywhere? – Paulius Feb 19 '09 at 06:42
  • They point with OpenID is that it provides a unique user id which is a lot more reliable than a session cookie, which eventually will expire. What you choose to do with the user id is up to you, but it will allow people to repeatedly claim the same user id, allowing you to track your users. – John Leidegren Feb 19 '09 at 08:47
  • e.g. every time I visit stack overflow I claim the user id associated with blog.leidegren.se. Only I know the password for this google account and thus only I should be able to authenticate myself as blog.leidegren.se which the whole point. – John Leidegren Feb 19 '09 at 08:50
  • People have criticized OpenID for security flaws but non which I deem feasible and let's face it, you're not doing banking. You're just running a small community. Besides google supports OpenID, and as long as they do you can bet that it's a sensible technology which is worth checking out. – John Leidegren Feb 19 '09 at 08:52
  • Depends on what you mean by "Google supports"... Yes, they are an OpenID provider, but can I login with my OpenID provided by someone else? ;) – Paulius Feb 21 '09 at 22:36
1

You haven't said what language/technology you're using. It could affect things. But I'd be inclined to just roll your own form-based authentication. It's not terribly difficult. Just remember a few basics:

  • Always sanitize user input. It can't be trusted;
  • Never store a username or password in a cookie (believe me people do);
  • Only store encrypted passwords using a reliable encryption method like MD5 or SHA1;
  • Use a non-predictable salt;
  • Require cookies to be enabled. Don't try and do URL rewriting.
cletus
  • 578,732
  • 155
  • 890
  • 933
1

Why not just have a name field when they post a comment, perhaps remember it in a cookie if you want. Most users just want to identify themselves not have an account.

Just make sure that you have some spam blocking in place as forms attract spam bots. Even if that is just a capcha with the form every time.

Jeremy French
  • 10,555
  • 4
  • 43
  • 68
  • Well, I want to protect myself from spam (I don't want to spend too much time moderating comments). One of the reasons, why I only want to allow authenticated users to post comments.On the other hand, comments won't be the only thing behind authentication, so this doesn't really apply. – Paulius Feb 19 '09 at 06:40
1

Openid is the best I think. Also if you give proer help about open id (or like SOF shows) then people will uderstand. Once less tech savvy people uderstand the use of opend id (no new username and pwd) then they will start liking it.

Shoban
  • 22,724
  • 8
  • 60
  • 105
1

Definitely go with OpenID - the more people we get onboard, the more familiar people will become with it, and it's not really that strange to use the first time. If you are a microsoft dev, the dotNetOpenID library makes implementation pretty straightforward - I have done this for both ASP.NET and ASP.NET MVC sites with no problems.

EDIT:

With regard to supporting non tech-savvy users, some links / explanation on the login page would go a long way to alleviating concerns. The redirect they will see is quite similar to experiences that they are more familiar with, like credit card or paypal authorization, so should be easy to explain in these terms.

Jens Roland
  • 26,677
  • 14
  • 78
  • 102
Chris Ballard
  • 3,731
  • 4
  • 26
  • 40
  • Well, yeah, I'm a .NET dev at work, but I rarely work with ASP.NET - it's desktop apps and webservices most of the times. This project, however, has nothing to do with .NET - it's kind of a way for me to not to go crazy... I need to spend some time away from .NET... :) – Paulius Feb 18 '09 at 21:52
0

You could distribute some RSA SecurID to your visitors ;-)

Seriously, the main question to ask is: does the total hour of work to implement a decent security system for my users to log in are worth the content that may be accessed if the website security is broken?

Fabian Vilers
  • 2,742
  • 2
  • 21
  • 30
  • Well, I'm not concerned about people breaking into the site, and seeing some of MY private stuff. I'm concerned, that some of the registered users, might use the same password for something important (like e-mail or something). – Paulius Feb 18 '09 at 12:52
0

You should look into RPX (https://rpxnow.com/), its a layer on top of OpenID and a few other schemes that for most languages is really easy to implement (there is a gem for ruby and I know a friend of mine got it into his php application in a less than a couple of hours).

Chris Meek
  • 5,090
  • 7
  • 31
  • 41
  • What do you do if you don't have an account with Yahoo! or the other five providers they interact with? – alphadogg Feb 18 '09 at 12:59
  • They do pass through to openid, so as well as getting openid you get those other five providers out of the bag, plus it is very easy to get up and running. – Chris Meek Feb 18 '09 at 15:01
0

OpenID rules! As an informed user I'm not sure it's been looked at to the point where it's "bulletproof" for security, so I probably wouldn't use it for financial / medical websites, but for the 95% of other websites, it would save me from having to write down my cheat-sheet of 137 different usernames and passwords. I've used it in a (nonpublic) site I developed and it was a bit of a hassle to get the authentication working properly, but if you can use one of the libraries out there, go for it!

HTTP authentication is standardized but something about it disturbs me. I dunno what. Something about a separate dialog box popping out of the browser makes me suspicious.

p.s. BBC's Digital Planet had a radio program my local radio station aired yesterday (17 Feb 2009) that talked about OpenID. So I guess when the radio talks about it, it must be starting to go mainstream.

Jason S
  • 171,795
  • 155
  • 551
  • 900
0

My advice: do not reinvent the wheel. Web authentication is a wheel if I ever saw one, and it's remarkably difficult to get all the subtle pitfalls handled correctly. Chances are you'd miss something and end up with effectively no security.

Either go with an OpenID solution, or look into the many auth libraries out there, and pick a thoroughly-tested one.

See also: The Definitive Guide To Website Authentication

Community
  • 1
  • 1
Jens Roland
  • 26,677
  • 14
  • 78
  • 102
0

It depends in part who your target audience is. If they're all computer geeks, go with OpenID. They're either familiar with it, or will understand what you're doing. If they're not necessarily computer geeks, they may not have been exposed to OpenID authentication yet, so OpenID could present a barrier to entry. In that case, you might want to go a more traditional route, such as register/validate email/login approach, whether roll-your-own or off-the-shelf.

Don Branson
  • 13,237
  • 10
  • 54
  • 98