A secure user account system with Eclipse RAP

A secure user account system with Eclipse RAP

Recently, I developed a „user account“ system for a customer’s Eclipse RAP application. Here are a few do’s and don’ts, which I learned in the process.

To provide some context: Users can perform these actions: sign-up for a new account, sign-in to an existing account, reset the password for an existing account (screenshots above).

Passwords

  • Never store passwords in plain-text.
  • Store passwords only in hashed form.
  • Hash using a widely accepted crypto-grade hash function; never your own.
  • Before hashing, add a random salt to each password. This ensures that same passwords have different hashes (making them harder to guess).
  • Use a slow (i.e. iterative) hash algorithm, to make brute force attacks less effective. This is called key stretching.
  • To verify a sign-in attempt: retrieve the „salt“ for that user, combine „salt“ with password-candidate and compute the hash. If the computed hash matches the stored hash, proceed.
  • Read this excellent tutorial on secure salted password storage before you start.

Sign-up (and user-entered-data)

Password Reset

  • Do not allow the user to log-in through the password reset workflow.
  • Do not send a new password via email.
  • Do send a reset token (hyperlink) to the email address associated with the user’s account.
  • Have the reset token expire within a few minutes.
  • Have the reset token expire after a successful login.

Hosting

  • For security over untrusted networks (public WiFi, etc.), serve sensitive data (i.e. login, sign-up) via https.
  • For best security, serve the whole application over https (if you can spare the CPU cycles).

Scaling

  • Implement authentication/sign-up as a networked service, so that it can be used by multiple RAP server instances. For OSGi-based software, OSGi Remote Services with ECF are an easy way to do this.
  • The authentication service should only be accessible on the internal network.

If you found this useful, follow me on twitter.

Elias.

3 Comments

Sorry, the comment form is closed at this time.