Signup/login security practices
Having a secure and optimised login process is vital for a business.
This is not just from the end-user perspective, but as well to guarantee credibility and minimise any possible data breach impact (there is a data breach almost every week).
Below, you can find multiple areas, solutions and ideas that will improve security during a login or signup process.
ACTIVE SOLUTIONS
Password-free login solutions
Of course the best protection against a possible data breach with password list is not having any password at all. This can be achieved mainly via the following options:
- Shared authentication solution (OpenID, OAuth, Social login).
The end user will use a 3rd party authentication mechanism, without the need of storing password in our system. - One time login link sent via email (such as medium.com ).
This is a “new practice” that relies on the user having access to their email every time they want to log in. - Biometric (e.g., fingerprint, retina, face recognition, voice)
A strong authentication and identity solution enabled by modern mobile devices that are widely used.
Specific password rules
Sometimes a password free solution is not a possibility, in this scenario we can mitigate risk by suggesting good security practices when adding a password.
I don’t want to create an article with the pros and cons and reasons for good password policies and guidelines (or password vs passphrase vs password managers), so here is a simple list of “dos” and at the bottom of this same article a simple list of “don’ts”.
- Allow any character in a password (even emoji).
Allowing any characters will let the user feel more secure and at the same time allows input in any language. - Have a minimum of n characters (if a maximum is needed, it must be at least 64 characters).
Currently the standard is around 6–8 characters (troyhunt article).
Login improvements
Suggestions that can improve end user confidence.
- Refrain from using top 1,000 / 100,000 worst passwords.
We can easily improve the security by identifying if the password introduced is one of the top most used passwords and alert the user or directly reject it. - Visual password strength or a password meter.
Having a visualization of the password’s complexity can help the user to choose a stronger/longer password. - 2FA (two-factor authentication).
Adding a second layer of authentication check is a strong solution to increase security in a system.
PASSIVE SOLUTIONS
Passive security
There are multiple solutions that can be implemented at a technical level and/or by using third parties integrations:
- Use SSL encryption.
A basic practice that should not be used only during the login is to enforce https on every page for every component of the site. - reCAPTCHA.
This is a simple solution that helps detect abusive traffic on the website without any user friction. - Limit login and password reset attempts.
Temporary IP restrictions, limiting failed login attempts/forgotten password requests within a predefined period of time. - Geolocation security.
This is an interesting functionality that many companies have started introducing, based on travel time and last login, the system can automatically restrict access to an account. - Sync with a service that is collecting data breaches (haveibeenpwned.com , spycloud.com ).
Knowing if a user had their password breached is important. Thanks to those services we can be proactive and react offering multiple solutions (I am actually considering writing a specific article just about the options available). - Store password with up to date cryptographic solution (plus salt and pepper).
A data breach is never positive for any company but we can mitigate the impact on a “worst case scenario” by having used a strong, certified, and slow cryptographic one-way hashing scheme with added “salt and pepper” solution.
Communications
A correct usage of emails and error messages is important. A company could disclose vital information inadvertently with a wrong error message, and at the same time an email alerting a user at the right time can protect from a possible hack attempt.
- Error messages for password request.
A common error is telling a possible hacker if an account exists in the system, it is important to always return a generic message similar to “If you are an existing user, we will immediately send you an email with a link to reset your password.”. - Send email every time a user is logged in.
A simple email notifying a user of their log in is always useful. Confirming the IP and browser used will create confidence on the system and let the user react as soon as needed. - When automatically preventing a login access (with correct email and password) send an email notification to the user.
When following the previous rules (password breach, login attempts), an automated alert can be sent to the user highlighting the risk.
DO NEVER
- Allow password hints (aka “memorable questions”, “security questions”).
Social engineering is a common practice and security questions are well known critical risks. - Force password composition rules — e.g. “8 characters including 1 uppercase letter, 1 special character”.
They simply don’t work and are difficult to remember (good article I agree with: Password Rules Are #$@&%*!).
If you have them, please display the requirements during account creation, not as a validation error. - Force to regularly reset their passwords.
We are all well aware of the common practice of simply increase the number in a password. Check as well the following article for additional information.
…and please… let users paste their complex passwords into the password field!
SUMMARY
I must admit I am a simple security passionate, this article was created as an exercise and review of modern techniques to help security and prevent common attack scenarios.
We can always increase security by using user certificates and enforce MFA, but I was focusing on a general list of possible improvements for a general business. Banks, military and health care industries should use more complex and protective security measures.
A good practice to always have implemented: audit everything. Being able to review metrics and identify possible improvements is basic for any project and product.
Additional information
A more comprehensive document can be found in the NIST pdf Digital Identity Guidelines.
