Login and Password Authentication
The following article is intended for newbies, who want to develop authentication for their services. In the article, we will look at the most common authentication method — login and password authentication, its implementation, advantages, and disadvantages.
Authentication is an identity verification process. For software, authentication is used for verifying the identities of users or client applications. The most common way to authenticate users is login and password authentication.
User login could be public but the password should be only in the user’s memory (and not on a piece of paper under the keyboard or taped to the monitor!) and used for verification than login belongs to the only user who knows the password.
User identity data usually stored in a user database. And the only authentication system should have access to the database to minimize the risk of credentials leak.
Login in user database stored in plaintext to quick search for the user account. Password should be stored as its hash and never in plaintext. During authentication, the hash of the password entered by the user is calculated, compared with the value stored in the database and, if the values match, authentication is successful.
To store a password in a database relatively secure, not the password itself is stored in the database, but password hash. The hash is calculated by the formula:
password_hash = hash(password). To slow-down dictionary password attack, it is necessary to add so-called salt to password. Salt - is a random value, stored within the password hash. And password hash is calculated with function from password itself and hash
password_hash = hash(password, salt). More information about salt in Wikipedia: Salt_(cryptography).
Some databases support internal authentication. In this case, the database itself is responsible for login and password authentication. Authentication service sends authentication request with login and password to the database, and the database returns authentication result: whether it is successful or not. For example, such an approach uses Microsoft Active Directory.
- If authentication was failed, do not tell users whether login exists or not
- Implement user account lock policy to prevent possible password brute force
- Use strong hashing function for example bcrypt, scrypt or PBKDF2 to prevent hash passwords reverse engineering in case user credentials database was stolen
- Use salt when hashing a password
Pros and Cons
- relatively simple implementation
- the need for users to remember a password for each service.
- the need to implement additional service to recover/change password
- the security policy of some organizations requires periodic password changes, which impairs user experience
- the password could be stolen using fishing or social engineering
Login and password authentication is the most common way to authenticate users, but it is also one of the most insecure, so it is recommended to use authentication without a password (login through social networks, biometrics, use of hardware security keys), or strengthen security by using the second authentication factor.