Web Page Login Security

Controlling access to web pages with web page login security

What is web page login?

The use of web sites as a means of information supply has created the need for a number of security measures in order to control access to information.

Web page login describes a security measure that is directly analogous to password access control.  In web page login, the user is asked to enter an identity/password combination in order to gain access to the information on that specific web page.

However, there are some material differences between the way that passwords work with web page login and the way they work with more familiar controls for things like PC operating system or network login.

The nature of web activities is that they ‘freewheel’ along rather than being rigidly structured.  That’s why you can move to another web page before the first one has finished arriving.  (In a realtime application you could never do this, you had to wait a screen to arrive before you could send a new command back.)

But this has an impact.  You cannot implement the typical control, three wrong passwords and you are locked out.  And that is because at the web server end there is no real way of controlling the relationship between the number of requests the web server sent out and what it received back.  To add to the confusion, in many PC systems, web pages are cached, and so the request for the page might not always be sent to the server anyway, and it is not unknown for a page to be sent more than once.

The end result is that web page login effectively allows multiple attempts to login – something that makes it far simpler for a hacker to attack using a password cracker than to bother with the more awkward approach of trying to capture it from a user’s machine.

Then even worse, is the immense problem created when trying to administer passwords, whether you are the supplier or the user.  Over the last few years suppliers have had to extend their password systems because hackers were proving it was just to easy to crack them.  So four characters became 6, and then more and with numbers as well.   Meanwhile users had to figure out how to remember them all, especially if any of them were updated.  The situation now is that having to remember 14 passwords is not unusual, and for some people it can get up to 30.  Unreal?

The other thing about web page login is that it does not make any checks about where the person logging in actually is.  Although, in theory, one can find the IP address of the person trying to log in, it isn’t quite that easy.  There are any number of possible IP addresses you could look for, starting with the local machine address, the local firewall address, a temporary address that might be used by any PC within an internal system, a cloaked address hiding the true address, and so on.  As a result it is often impossible to control where the person using web page logon is actually coming from.

Therefore web page login using passwords has additional weaknesses besides those normally associated with the use of passwords (see web login).

The XML communities have proposed an alternative approach to achieving web page login and this is discussed in more detail under web access login.

The other thing to remember about web page login is that it is just providing access control to the information.  It does not protect it once it has arrived on-screen at the user.  They are free to copy and paste the information, look at the source code on the page, and anything else that they want to.  So it must not be seen as a complete security solution for protecting web based information.