Login and Password Authentication

Original article https://www.openidentityplatform.org/blog/login-password-authentication

Introduction

Authentication is an identity verification process. For software, authentication is used for verifying the identities of users or client applications. The most common way to authenticate users is login and password authentication.

User login could be public but the password should be only in the user’s memory (and not on a piece of paper under the keyboard or taped to the monitor!) and used for verification than login belongs to the only user who knows the password.

Implementation

Login in user database stored in plaintext to quick search for the user account. Password should be stored as its hash and never in plaintext. During authentication, the hash of the password entered by the user is calculated, compared with the value stored in the database and, if the values match, authentication is successful.

Password Hashing

Database Authentication

Implementation Tips

  • Implement user account lock policy to prevent possible password brute force
  • Use strong hashing function for example bcrypt, scrypt or PBKDF2 to prevent hash passwords reverse engineering in case user credentials database was stolen
  • Use salt when hashing a password

Pros and Cons

  • relatively simple implementation

Cons:

  • the need for users to remember a password for each service.
  • the need to implement additional service to recover/change password
  • the security policy of some organizations requires periodic password changes, which impairs user experience
  • the password could be stolen using fishing or social engineering

Conclusion

Open Identity Community member, OSS Enthusiast