Best practices for login pages?

Question

I am working on a single sign-on login page using Shibboleth that will be used for a variety of web applications. Obviously we would like to make this page as secure and usable

Answer 1

Seems like a no-brainer, but use HTTPS if the app requires it. Heck, even if it doesn't warrant it because people tend to reuse the same passwords. You can get a SSL cert cheap these days. If they lift a password from your site they can try it elsewhere. Even many banks don't have the login page on a secure line. It posts to an HTTPS page, but there is still no protection of a man in the middle type attack.

I agree with Omniwombat. Phishing is a hard problem to solve well and seemingly impossible to solve it completely.

Answer 2

Smashing Magazine has pretty complete round-up about login forms. Web Form Design Patterns: Sign-Up Forms

Answer 3

A useful tip for come circumstances: You can disable client-side password saving by adding autocomplete="off" to the password field.

That doesn't work on all browsers (if I remember, IE 6+ and Firefox 3+)

Answer 4

@Joe Lencioni, and everyone else interested in Shibboleth

Your site pages should have the overall same look and feel on each page.

Regarding Shibboleth, and SSO. It is important to note which role your organization is associated with. Are you an Identity Provider - IdP (authenticating the user and then sending the response to the SP), or are you the Service Provider - SP (who will grant authentication based on the response and attributes sent by the IdP.

If you are a SP, you have whatever flexibility you desire to link your users to an IdP for them to login. Many SP create their own WAYF (Where Are You From) page that will redirect the user to the login page of the IdP.

If you are an IdP, you should have a login page that looks familiar to the user so they can login and then be redirected to the SP with the attributes that are needed for the SP to grant proper access.

As far as phishing scams go, it is important to keep Shibboleth metadata current. I believe many Federations recommend downloading metadata every (1) hour.

Many Shibboleth questions can be answered here: https://spaces.internet2.edu/display/SHIB2/Home

Hope this helps you out.

Answer 5

The best i've seen so far in an attempt to stop phishing is a bank's login interface. The login is done in 3 parts, first the user enters their account number (debit card number, credit card number...), the second step will randomly list 1 of 3 questions specified by a user (eg: What highschool did you attend for grade 10), the last part, if the first two are successful is to display an image and some text specified by the user at sign up, with the password field below.

Answer 6

One other "no duh" thing that I still see on a lot of applications I go to, if the credentials specified are invalid, do not indicate which one is invalid. Simply say something like "invalid user/password combination" instead of "invalid password" that will prevent those folks from social engineering to know a user base accessing your site.