In today's online world, more and more people are coming online every day. The more popular the Internet is becoming, the more important security becomes a concern. As web developers, we must take security and make a primary focus. However, we are also limited in how secure we can create a site or application. In this article, we will discuss several key topics on website security.

When a new site is developed, we must decide which information will be available to the public, and which information should only be made available to certain people. The most common way to do this is to create a login system which will ask users for their user names and passwords to verify they are authorized users. This type of system is used almost everywhere today, from email accounts to online banking. Unfortunately these systems often become targets of hackers who try to gain access to this private information using a variety of methods.

The Brute Force Attack
This type of attack on a login system usually involves a hacker trying different passwords to gain access to restricted systems. This is done by a program or script designed to try all words in a dictionary for example as passwords hoping one of the words will work allowing them access.

Social Engineering
This is a collection of methods which involve the manipulation of people into divulging confidential information or performing tasks which can leave systems more vulnerable. Most companies today still authenticate users using information which can easily be obtained from public records, such as a Social Security number, date of birth, mother's maiden name, etc. Let us briefly look at various types of Social Engineering used today.

Phishing
This method almost always involves email. It is done by creating authentic looking emails from reputable companies or organizations, such as a bank or a credit card company. These emails usually inform the user to "validate" some information and that if it is not done, consequences may apply. They usually contain links to fraudulent websites which appear authentic to most users. These illegitimate websites simply collect private information such as a user name and password, or ATM PIN. This information, if typed in, is usually sent to the person or people responsible for the fraud.

Trojan Horses
These computer applications are considered malware by security companies. They are usually transmitted via email or some instant messaging programs. They are well disguised for the most part, usually promising some rewards for downloading them, such as a system upgrade, or perhaps new applications or screen savers. These Trojan horses collect information silently in the background of a victim's computer and transmits that information to the program's creator.

Pretexting
Another collection of tactics that people use to obtain a victim's personal information. An example is a pretexter may call a victim pretending to be from a survey firm or a credit card company, and may ask a few questions designed to obtain confidential information from the victim. Once the pretexter has the desired information, he/she may then call your bank or credit card company and pretend that he/she has authorized access to the victim's account and may request confidential account information or even make changes to a victim's account.

The above methods are only some of the methods people will use to gain access to systems or accounts they are not authorized for. This is why a login system will never be 100% secure.

Security Methods
Now that we have discussed some major ways a login system, or account, can become compromised, we will cover a variety of methods to increase security. As web developers, we must be aware of all forms of security vulnerabilities and then plan for them to try to make login systems more secure.

Complex Passwords
The most common technique used is to require complex passwords. This technique may not be popular to most common internet users because the thought of having to remember a complex password is not very appealing. This is used to prevent brute force attacks discussed earlier in this article. A complex password is most likely not going to be found in a common dictionary. This however, does not provide a 100% secure system. There are a large number of "cracker" databases which contain a massive amount of complex passwords, and they continue to grow even larger every day. This is why even a complex password is not enough, and more measures must be taken.

Account Lockouts
This technique employs an account lockout on all accounts on a login system which have a certain number of invalid log in attempts. This technique is used specifically to deter brute force attacks. For example, if a login system is developed, it may be set to lock out an account after three invalid login attempts. If someone were to use a brute force attack, and have a script try every word in a dictionary, it would only get three login attempts before the account is locked out, rendering the attack useless.

Secret Questions and Answers
This technique can sometimes be used in addition to a simple user name and password authentication. For example, after a user enters his or her login credentials, a system will then ask the user a secret question and will be expecting a certain answer before access is granted. This added layer of security on top of the two other techniques can drastically improve a login systems security situation.

The secret question and answer technique should not be confused with a similar system used to recover lost or forgotten passwords. Sometimes a password recovery system may in fact create yet another security vulnerability for a login system, especially if the secret question is something that is easily obtainable, such as mother's maiden name. This can give an unauthorized person access to your account without ever knowing your password.

When we design a new login system for our client's website, we highly recommend using at least the first two techniques discussed above to improve the integrity of the system. As we have said above, we are limited in what we can do to make a system secure. The methods we have discussed above to improve security are designed to deter unauthorized personnal from gaining access to a restricted system, they cannot totally prevent it. The most vulnerable part of a login system will always be social engineering.