What do I need to do to secure log-in and registration for my website?

CSRF - You need to have protection in place to prevent cross site request forgery - or requests to login, signup, or other actions from other sites. This can be used to trick users into performing actions they didn't intend to.

CAPTCHA on signup - It's often recommended to use a CAPTCHA on your sigh-up form to reduce automated signups. How important this is depends on your threat model.

Secure login - The login needs to happen over HTTPS to reduce the risk of the user's credentials being captured via a MiTM attack.

Cookies - While login over HTTPS should be seen as a minimum, everything else really should be over SSL as well to protect the cookies (remember Firesheep?). Though just using SSL isn't enough, you need to set the Secure flag and HttpOnly flag whenever possible.

Email Confirmation - You need to make sure that you verify a user's email address as part of the sign-up process (I'd suggest not letting them login until it's confirmed). You'll need to have this for use in password resets.

Bruteforce protection - You need to protect against an attacker bruteforcing user accounts. There are various ways to do this, locking accounts (which can be used as a DoS attack by locking out large number of users), limiting failed attempts from a given IP (either via ban, or additional CAPTCHA). There are pros and cons to each method, but it's important that you have some form of protection in place.

Secure password reset - You need to make sure that you have a secure method for resetting passwords. This one is more complicated than most people think, and is easy to get wrong (as Apple recently found). The biggest risk is that an attacker finds a way to abuse the feature to reset accounts that they don't own.

I'd strongly suggest that you read the OWSAP Authentication Cheat Sheet, it goes into detail on these and many other potential issues; and as always, when building new systems, it's a good time to take another look at the OWASP Top 10 and make sure you have taken the proper precautions.


Adding to Adam's answer I would like to say that according to OWASP Top 10 Application Security Risks–2013 the top three vulnerabilities are Injection,Flaws in Authentication mechanism/session management and XSS.

  • Authentication and session management is a very broad topic but OWASP has a number of cheat sheets and guides whose links can be found in the above pdf.
  • The other two vulnerabilities Injection and XSS are generally a result of not validating the user input before generating the dynamic content (XSS) or before using it in a DB query (injection).
  • To prevent from Injection all the user input parameters must be validated (server-side) before using them in queries.
  • Prevention against XSS : see this