We live in a world of WordPress blogs, Joomla sites, and osCommerce shops where users routinely log in to their 'secure' admin areas by sending their usernames and passwords over the internet in plain text. We all know that's bad, but no one ever seems to upgrade their site to use SSL/TLS and developers are quite happy making applications that work over good old http.

Depending on the application, there must be a point at which people don't think it's worth implementing any greater security measures to protect their assets? If the choices are:

1. No security at all
   • +) Who cares anyway?
   • -) Witness spam posts and Robert'); DROP TABLE students;
2. Security from obscurity
   • +) Only certain people know which URL to go to
   • -) It's only a matter of time...
3. Authenticate with a username only
   • +) Ok if the username is obscure and well constructed
   • -) Brute force attacks are too effective
4. Authenticate with a username and password
   • +) Marginally better than just a username
   • -) Marginally better than just a username
5. Authenticate with a hash of username and password
   • +) Prevents database hackers stealing password lists
   • -) If someone can hack your database, you shouldn't be worrying about plain text passwords
6. Authenticate with JavaScript encryption (see Javascript asymmetric encryption and authentication)
   • +) Prevents usernames and passwords from being sent over plain text
   • -) A Man In The Middle could intercept the JavaScript and steal your passwords anyway
7. Do any of the above over SSL
   • +) Prevents man in the middle attack
   • -) If a hacker is this determined, they'll find another way to bring you down

If the first 5 are easy for your average Wikipedia reader to work out, number 6 needs just a bit more knowledge and hackers ignore number 7 to move on to other vulnerabilities, none of these are actually a satisfactory way to guarantee absolute peace of mind.

Questions:

1. What level of security is the cut off point for your average WordPress blog, or phpBB forum?
2. Why has username + password become so prevalent?
3. How should web application developers create future applications, knowing that an SSL cerrtificate might not always be available?
4. Is there really any point in designing a site with a 'secure' area if it is going to be used over http?

1. I ALWAYS use a hashed password with a salt. It is also good to implement some sort of brute force checking to block IPs that attempt more than X failed logins, etc.

2. It's a system people know. Giving someone a 32 character guid might work better if they could remember it. The problem is people not using good passwords and using the same passwords for banking as they do for e-mail as they do for facebook. A possible scenario: you go to joe blow's site because he's offering a free ringtone, and you create an account using the same user/pass you use everywhere. Joe Blow doesn't encrypt your password, instead he uses it to try to access various banking websites using the same username/password combo. If you entered your e-mail on the site and used the same password as your e-mail, then he can access that and find out what bank you use when you get an e-mail from them letting you know your statement is available. The weakest link is almost always the user not being careful enough.

3. Some of the extra precautions I take beyond IP checking, brute force protection, etc., is to make sure the user-agent stays the same for the life of the session. It's just one extra check that helps protect against someone brute-forcing session IDs...they'd have to also spoof the user agent perfectly, which would require a man in the middle or someone with a live view of the DB...which isn't usually worth worrying about.

4. I have yet to have an admin area hacked, but I have seen attempts. Everyone knows that they can go to wp-admin/ inside a wordpress website. If there were no authentication, there wouldn't be a blog in the world that didn't have 1000 blogs by a spammer overnight. It may not keep out the hacker-elites and middle-men...but most blogs aren't worth the efforts for those guys. But not having any credentials would let any guy who can write a bot access everyone's blogs.