Best practices for login pages?

Question

I am working on a single sign-on login page using Shibboleth that will be used for a variety of web applications. Obviously we would like to make this page as secure and usable

Answer 1

keeping the same design in your login page will let know your users they are attempting to log in to your page if design change randomly user may think the site has been moved, or they are being victims of pishing. so i would recomend to keep the same guidelines as your content pages

Answer 2

Think like a user as well as a security guard: if you make them do a captcha every time to login, they're going to get pretty sick of it.

If you're trying to prevent Denial of Service, then maybe make a captcha appear only after there are enough (failed?) login attempts in a certain time period.

Consider using NTLM, OpenID, or Shibboleth to make login as automatic as possible for most users.

Don't make people go to a separate page to register. Presumably you will have username and password fields, and a login/submit button. Just add a "register as new user" button as well, so that new users can use the existing username/password fields. If you need to collect additional details for new users, popup a form (using DHTML, not a popup window) to collect them.

Answer 3

Usability notes:

Personally I hate when sites put the "forgot password" or "forgot username" or "help" links inbetween the password field, and the Login button. As a keyboard user, I shouldn't have to TAB over them to get to the submit button.

Better yet, also capture the Enter keypress on the password field so that I can auto-submit with the Enter key.

Answer 4

No matter what you design, a Phisher will be able to imitate it. Preventing phishing completely is a difficult problem. You will essentially have to have some means of identifying your users before they log in. Some banks do this now. You enter your name, and then they show you an image you yourself have selected, and then, once you are certain it's the same image, you enter your password. This may be a greater level of complexity than what your site requires.

On the technical side, Bank Of America accomplishes this by using a Flash Local Shared Object called PassMark. Your browser silently sends back this data identifying yourself to the Bank. If you delete the LSO, then you will not be shown your image because BofA can't identify you. Even this is still vulnerable to man-in-the-middle attacks.

Answer 5

Realize that your user is going to spend all of 10 seconds on that page generally, it really doesn't matter what it looks like so long as it is obvious where to put your user ID and password. Other than that just don't be one of those sites that offers to email me my password if I forget it. At least let me believe that it's hidden in a nice salted hash somewhere where you can't retrieve it ever.

Answer 6

include application level dos prevention

Be non-specific with login failures. A generic "Login failed" instead of "Unknown Username".

Use a captcha or other turing test.