Login and Password Authentication

Introduction

Implementation

Password Hashing

Database Authentication

Implementation Tips

  • If authentication was failed, do not tell users whether login exists or not
  • Implement user account lock policy to prevent possible password brute force
  • Use strong hashing function for example bcrypt, scrypt or PBKDF2 to prevent hash passwords reverse engineering in case user credentials database was stolen
  • Use salt when hashing a password

Pros and Cons

  • relatively simple implementation
  • the need for users to remember a password for each service.
  • the need to implement additional service to recover/change password
  • the security policy of some organizations requires periodic password changes, which impairs user experience
  • the password could be stolen using fishing or social engineering

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maxim Thomas

Maxim Thomas

Open Identity Community member, OSS Enthusiast