Creating a secure login form with an SSL certificate is a must. Here’s how you can do it.
There is always a risk when entering your login credentials as a user on a website that is not secured by an SSL certificate. This allows potential attackers to see your username and password in plain text. The attackers could easily steal information entered by the user on a non-https webpage hosting the login form. There are several approaches an attacker can use to steal a user’s credentials, such as phishing, cross-site scripting, or man-in-the-middle attacks. Such compromised credentials can lead to bigger problems like data theft etc.
Reading: How to create a website with secure sign on
Mistakes Web Developers Make
Here are two of the most common mistakes that many Web developers commit when it comes to creating a secure login form.
-
- Ignoring the importance of a secure login form:Many developers and website owners neglect the Importance of a secure login form on websites. Without being aware of the dangers of their actions, the negligence of these web developers can cause great harm to their visitors.
-
- Placing an https login form on an unsecured http page: In general, an SSL certificate requires more processing power, especially on a busy website. For this reason, many developers place the registration form on an http page such as the home page. Undoubtedly, this encrypts the credentials submitted by a user, but there may be some issues with this approach:
-
-
- cannot be sure about the security status of the login form: Nowadays, internet users are trained to look for certain visual cues like a padlock icon and green address bar, which assures them a secure web session . Completely removing these security symbols can leave users insecure about the security status of a website, even though the information submitted is encrypted.
- Attackers can change the form’s action to a different URL: If By posting the registration forms to an http page, a cyber attacker can easily paste a different URL for the form to be posted. At this point, the user would be completely unaware that the credentials have been compromised until the username and password have already been sent to the attacker. As an alternative method of stealing the information, an attacker can even inject JavaScript code to obtain the username and password without the user noticing any unusual activity.
-
How to create a secure login form with an SSL certificate
See also: How to create a registration form in HTML
Now that we know which methods to avoid To a login form, let’s go through the method of securing it with an SSL certificate. Many websites, including highly trusted banking websites, have conveniently placed their signup form on their unsecured home pages. This has caused many problems for the users who submit their personal information after signing up to these websites. Fortunately, realizing the dire consequences, many websites have opted for safer methods. On such sites, visitors are redirected to an “https” page even when they visit their unsecured homepage. Additionally, visual cues for EV SSL Certificates such as the green address bar eliminate any possibility of man-in-the-middle attacks or phishing attacks.
Basically, website owners have two options to create a secure registration form. They are:
- Create a separate login page that is accessed ONLY via an ‘https’ URL.
- Implement ‘https’ on the homepage and let the users login from there by pasting the login form there. This proved to be more convenient for users to log in, as the majority of users tend to bookmark such a “secured” home page compared to a separate login page.
See also: 10 Tips for Creating Great Blog Titles
According to Open Web Application Security Project (OSWAP), the worldwide non-profit organization focused on improving the security of software, requires a login landing page to use an SSL certificate. It clearly states that the very page where the user fills out the form should be an https page. If it’s not secure, attackers can modify the page as it’s being sent to the user, changing the location of the form submission or injecting JavaScript that steals the username/password as you type.
More options To secure a login form: Besides securing the login page with SSL, there are several other options available. These are:
-
- Facebook: Today almost everyone has a Facebook account.And this social network easily authenticates its users by using their Facebook username and password. The verification procedure is carried out on the Facebook website, which is fully secured by an SSL certificate. This option saves users from having to remember a different set of login/password.
-
- OpenID: Just like Facebook Connect, OpenID allows users to authenticate themselves on another website. While not as popular as Facebook, many OpenID services are available.
- Twitter: An API offered by Twitter also allows users to securely log in with their Twitter account their website.
Although securing a website’s registration form may seem like a very small step towards web security, but without taking that step , users get a negative impression of the security of the site. On the contrary, by protecting a website’s login form, you reward user expectations for web security.
See also: Menus
.
