Skip to content

Protection against Broken Authentication

links: WS TOC - Broken Authentication - Index


There are tons of measures that can be implemented in order to be secure:

  • Prohibit brute force
    • set a maximum number of retries to login
  • Authentication relies on secure communication and credential storage
  • TLS should be used on all authenticated pages (just use it everywhere and give eavesdropper no chances)
  • Store passwords hashed, using Password Based Key Derivation Function (PBKDF)
  • Use well known session management and SSO solutions. Don't build your own. It's hard and you will most likely fuck it up
  • Use one authentication mechanism and not more.
  • Make the mechanism as easy as possible and as complex as needed.
  • Force TLS (especially on login etc.)
  • Destroy sessions and other relevant tokens on logout
  • Expire relevant tokens
  • Do not ask users for confirmation when it comes to session termination (but inform them).
  • Do not use spoofable tokens as authentication (everything an attacker can see when eavesdropping should not be used to authenticate users. Such as IP, DNS, HTTP Referrer, etc.)
  • Do not send passwords by email
  • Use 2FA
  • Specify a minimum complexity for passwords. The NIST recommendations are a good starting point

links: WS TOC - Broken Authentication - Index