The article "Ensuring website safety" is provided by Sophos Plc and SophosLabs.

December 2007

If certain areas of the site should be available only for registered users, it will require a user authentication method [10].

There are several ways to authenticate users: basic authentication, digest authentication and HTTPS.

  • When using basic authentication, the user name and password are included in the web request. Even if restricted access content is not very important, it is better not to use this method, since the user can have the same password on several sites. A poll made by Sophos showed that 41% of users have only one password for all their activities on the Internet, whether it's a bank site or a regional forum [11]. You should try to prevent users from it by using safer authentication methods.

  • Digest authentication, supported by all popular servers and browsers, allows you to encrypt the user name and password in the request. It helps to protect usernames and passwords, which makes an appropriate impression on users and reduces the likelihood of a successful attack on the server.

  • The HTTPS protocol allows you to encrypt all data passed between the browser and the server, not only usernames and passwords. The HTTPS protocol (based on SSL security system) should be used if users need to enter sensitive personal information such as the address, credit card number or bank details.

When choosing an authentication system, you should use the safest option available. Other options will scare away customers who care about protection of their data, and can cause unnecessary risk for users.