CybersecPatrol

Cutting-Edge AI-powered Cybersecurity Solution by CyberSecPatrol.

Secure Coding – Authentication and Password Management

January 25, 2024 - Secure Coding

When it comes to hacking and security vulnerabilities, the first thing that often comes to mind is password leaks. If users use the same email or username along with the same password for registration, attackers can use password data to access other user accounts on various websites.

Authentication and Password Management

In this article, part of the secure coding series, we address authentication and password management. Authentication and password management are vital parts of any system, encompassing everything from user registration, storing identity information, password resets, and access to private resources.

Authentication

To begin, let’s refer to some seemingly simple rules, which, if followed, can ensure the security of our authentication system:

  • All authentication controls should be executed in a trusted system, usually on the server where the backend of the application runs. To simplify and reduce the risk of vulnerabilities, it is best to use standardized and tested authentication services. Frameworks typically include these modules, and it’s advisable to use them since they are widely used as authentication mechanisms, maintained by many developers, and tested and evaluated by a large number of individuals. However, you should carefully review the process and code execution to ensure no malicious code affects the proper functioning of your authentication module.
  • Use centralized authentication controls. Pages and resources that require authentication should not perform authentication separately. Instead, they should redirect to the centralized authentication page (more on this in the section about redirection to other pages).
  • Authentication should not be used only by the users of the application but also by your application itself when connecting to external systems that include sensitive information or functionality. In such cases, authentication credentials such as passwords, pins, or certificates should be encrypted and stored in a secure location on a trusted system (for example, a server). Note that the source code is not a secure location, and such information should not be placed inside the code.

Password Management

Let’s now return to the topic we discussed at the beginning of the article. Passwords are the gateway to systems and one of the primary targets for hackers to test and infiltrate accounts. Various attacks are used to discover or bypass passwords, which is why securely implementing the password management module in any system is one of the most critical aspects of secure coding. To combat password theft, multi-factor authentication has become a popular security process. To ensure the security of your code, use the following guidelines:

  • Enforce password length and character requirements (e.g., at least 8 characters with one uppercase letter, one number, and one symbol).
  • Disable further login attempts after multiple failed attempts.
  • Only store encrypted versions of passwords (instead of plaintext).

Below is a checklist of techniques mentioned by OWASP, which you can implement fully or partially based on your system’s needs:

  1. Require authentication for all pages and resources, except those explicitly designated as public.
  2. All authentication controls should be executed in a trusted system.
  3. Whenever possible, create and use standardized, tested authentication services. Repeat authentication periodically.
  4. Use a centralized implementation for all authentication controls, including those available in frameworks.
  5. Separate the authentication process from the request source and redirect users to the centralized authentication page.
  6. All authentication controls should have a failure mechanism at every step to prevent issues in case of errors.
  7. All administrative functions and account management should be at least as secure as the initial authentication mechanism (e.g., changing passwords or deleting user accounts).
  8. Use strong one-way encryption for storing authentication credentials, along with salted hashes.
  9. Password hashing should be executed on a trusted server-side system, not on the client side.
  10. Only send user input to the server for validation after all fields are completed.
  11. Authentication error responses should not indicate which part of the authentication data was incorrect.
  12. Use authentication for connections to external systems containing sensitive information or functionality.
  13. Authentication credentials for accessing external services should be stored securely.
  14. Only use HTTP POST requests to transmit authentication credentials.
  15. Never transmit non-temporary passwords without encryption or over an unencrypted connection.
  16. Use complexity requirements and best practices for passwords.
  17. Enforce password length requirements as dictated by policies and best practices.
  18. Passwords should not be visible on the screen when entered by the user.
  19. Disable user accounts after a specified number of invalid login attempts.
  20. Password reset and change operations require the same level of controls as account creation and authentication. Apply existing controls for password reset.
  21. Password reset questions should support sufficiently random answers to prevent easy guessing or automated brute-force attacks.
  22. If using email-based password resets, send them only to a pre-registered email address, and ensure that the link or temporary password expires after a specified time.
  23. Temporary passwords and links should have a short expiration time.
  24. Upon next use, require users to change their temporary passwords.
  25. Notify users when their password has been reset.
  26. Prevent the reuse of passwords.
  27. At least one day should pass before a password can be changed again after a reset to prevent “password reuse attacks.”
  28. Disable the “Remember Me” feature for password fields.
  29. The last successful or failed login attempt should be reported to the user upon their next successful login.
  30. Implement monitoring to identify attacks on multiple accounts using the same password.
  31. Change or deactivate any default passwords used during development and any accounts shared with contractors or testers.
  32. Re-authenticate users before performing critical operations.
  33. Use multi-factor authentication for accounts.
  34. If using third-party codes for authentication, carefully review the code to ensure it is not affected by malicious code.