I'm in the planning stages of developing a web application that I want to make as secure as possible. I'm pretty clear about how to do that from a technical point of view, but there is one massive potential security hole: I want the site to have users.
As anyone who has ever been a user knows, users forget usernames, forget passwords, sometimes forget that they even had an account with your site. Users respond to phishing emails and give away their credentials. If you do anything that they find too complicated they won't use your site, it has to be simple and all happen in as few clicks as possible, but we have to balance that out by making it as hard as possible for users to accidentally give away their credentials and to keep access to the service as secure as possible.
What I'm particularly interested in are strategies that go beyond the standard username and password combination and ways of recovering or resetting passwords that make things easy for users but hard for anyone trying to steal their account. I know a lot of sites provide an extra user-set security question, but because I don't trust users not to create a stupid question like "what is 1+1" I don't see how this can guarantee security.
Are there strategies that could be useable to the most clueless user but challenging to a determined and targetted attack aiming to break into their account? If not what are the closest things we could get? As a user what are the best/worst sites for this you have encountered and why?
Best Answer
The only way I know of to build a truly secure web site is to require a password and have a challenge/response device.
For example, TreasuryDirect.gov sends you a card with a grid of random characters. As part of the logon process, you are asked to provide the characters that are contained in specific cells of the grid. But this is expensive and time-consuming; it requires to get the cards, to track them and to send them out. Plus, if a person loses the card, they can't log in until you get them a new card. In the case of TreasuryDirect, where you could be managing millions of dollars, this hassle is worth it. Only you can determine if it will be worth it for your site.
Another option is to add a validation picture, like a lot of banks do. I believe this option only helps thwart some phishing attacks so if you think phishing will be a problem, this might be an option.
I believe the other alternatives, including what most banks use, seem to be secure but aren't really. Security questions, for example, I believe compromise sites more than they help. Others think this too.
One other thing will be to encourage users to use a "Passphrase" instead of a password as Jeff Atwood recommends. Amazon has taken this approach as well with their newish PayPhrase.