Best practices for user account, authorization, and password management
- Impose a cryptographically strong irreversible hash of the password, salting it with a value unique to that specific login credential.
- Separate user identity from the user account, designing your user management system for low coupling and high cohesion between different parts of a user’s profile. Allow users to change usernames and link multiple identities to a single user account.
- Keep username rules reasonable, remain case-insensitive and avoid restricting length and character set. Also, allow as long and complex a password as a user wants (your hashing will condense it anyway).
- Consciously decide on thresholds for session length and re-verify authentication for security in case of certain events like password resets, critical profile changes, logins from new devices or too many devices, or a sensitive action with perhaps financial implications. Offer users the option for increased security when alerting for such events and ensure even unsaved activity prior to authentication are preserved.
- Build a secure authorization system, with password reset and not retrieval, detailed activity logging, rate-limiting of login attempts, locking out users after several unsuccessful attempts, and 2-factor re-authentication for new devices or long-idle accounts.
Full post here, 9 mins read