Authentication is the process of verifying a user is who they claim to be, this is usually done with a username and password combination known only to the user themselves. Although this sounds like it should be quite secure, authentication can often be overlooked resulting in weak or insufficient security. So let’s jump right into it!
Forcing strong passwords to be used
A common form of web attack is for malicious users to simply guess a user’s password, this is called brute forcing. To make this type of attack impractical it’s long been common practice to force users into making complex passwords, this can be achieved by making use of a number of different character types. The characters include capital and lowercase letters, numbers and special characters. Additionally, it’s often recommended that users do not make use of a common words which could be found in a dictionary or list, here’s an example. sD3$k98br!a^dZ
As you can see from the password example above, it would be extremely difficult for a malicious user to brute force this as it’s completely random and contains a number of different characters. You’ll often find functionality like this built into your web browser allowing for the generation of complex passwords.
Finally, while we’re on the topic of forcing secure passwords, it’s highly recommended developers make use of a minimum password length, this will further aid in preventing password guessing/brute force.
Using an unknown username
Although websites often identify users with a public username, it’s often common practice to use an unknown username or email address for authentication. Although the user is able to login with their email address, this is never revealed to the wider public and so any attacker would be limited when it comes to gaining access to an account.
2-factor authentication
What’s better than one password? Why two of course. No, that’s not a joke. Another method of secure authentication is to use 2-factor authentication. So, what exactly is 2-factor authentication? Well, let’s say you have logged in like normal using a username and password. Once you have entered these a randomly generated password, often a short 4-6 digit numerical code, will be sent to the user by email or text message. As the user is the only one able to access these it means no unauthorized persons are able to access the account in question.
Securely storing user password
When it comes to user credentials, they must always be stored somewhere. When a user logs into the application it will perform a check to see if the supplied password matches the saved password. Although other options are available you’ll find that passwords are often stored inside a database. Technically speaking, the contents of the database should never be directly revealed. Sadly, mistakes can happen and data breaches do occur. All of this means user passwords must be stored in a safe and secure way.
User credentials should never be stored as readable plain text. So, how exactly do secure applications store their passwords? Well, some clever folks came up with password hashing.
A password hash is a secure and standard practice in the IT world, simply put a hash is like a data representation of a password. A hash will often be made up of different characters and be rather long, often far longer than the actual password itself. See the example below, the saved password itself is NotSoStrong, however, as this password has been hashed it actually appears as 18ed2846ce540fc60470039b896f14d4. This type of hash is called MD5.
Now, MD5 itself isn’t all that secure and so I wouldn’t recommend using it to save passwords. But, this was simply one example. There are far more secure hashing implementations which are openly available, I’ll include some of these below.
Secure hashing in PHP
PHP developers are now able to make use of the password_hash() function, this will create a strong, one-way password hash which can be secured in a database. To compare this hash against a user-supplied password the application would make use of PHP’s password_verify() function.
For more information see: https://www.php.net/manual/en/function.password-hash.php
Secure hashing with bcrypt
In Python, developers can use the bcrypt module to securely hash a password. This is also available in other languages such as Ruby or Go, available links can be found below.
Python: https://pypi.org/project/bcrypt/
Ruby: https://rubygems.org/gems/bcrypt/versions/3.1.12
Go: https://golang.org/x/crypto/bcrypt
Ensuring all data is verified on the back end
Many developers like to make use of JavaScript to validate user-inputted data as this allows feedback to be given in real-time, this feedback can consist of messages such as “Password is too short” or “Password must contain at least one number”. However, while these messages are great for the overall user experience any formal validation should always be done by the back-end language such as PHP or Python to avoid tampering. Please note, all data must be securely sanitized before passing it to a database.
