Best practices for web login / authentication?

Question

Writing the code for the user authentication portion of a web site (including account registration, logins, and password resets) is pretty simple, but what do you need to make a really good user authentication setup? For example, I'd consider not storing plaintext passwords to be a bare minimum requirement for a web site, but that piece of advice seems to be largely transmitted by word of mouth, and plenty of sites still fail to follow it.

What is some other good advice or good requirements for the user auth portion of a web site? For example, should usernames be user-selected, or should they be email addresses? Any pitfalls for the user registration portion? (CAPTCHAs are probably worth a whole topic by themselves.) Any pitfalls for the password reset portion? Anything else?

Edit:

Somewhat duplicated here : best-practices-for-login-pages

Answer 1

Encryption

There was a question about this yesterday - "Why should I care about hashing passwords anyway?" which covers all the reasons why you should do this.

Captcha

I disagree with Ricardo on the captcha point - always require a captcha, even really unpopular sites get targetted by spammers. I have blogs that I set up to test some bits of code that I never linked to from anywhere else that were miraculously found by spammers. When a spammer has flooded your site with zillions of identical posts about viagra you'll regret not taking the extra 20 mins to install a captcha. reCaptcha has some plugins that make installing it pretty simple, AND you get to help them digify books.

Don't forget that visually impaired users will need an audio captcha.

Forgot password

If you have confirmed the user's email address then you can just generate a random new password for them. Make sure to prompt them to change their password immediately though as people will forget randomly generated passwords straight away.

Emails

DON'T bother trying to implement complex regex's that cover all possible email addresses. Do a simple check for an @ and then let the user click on a link sent to their email address to verify. This is common practice these days but I still come across people trying to get 'clever' about it.

Form validation

As well as your server side validation on the registration form you should have client side validation in the form of AJAX to let the user know as they're filling it out whether their chosen username is taken, whether their password is acceptable, etc. Users can get frustrated by having to re-submit registration forms several times.

Authentication itself

It's nice to let people log in with either their username or email address as people are more likely to remember email addresses than usernames, especially if they haven't been to your site in a while.

If your site needs added security (for example, if you're selling stuff and people can get it just by logging in), request another piece of information. Asking for their zip/postal code is a good idea as it only takes a few extra seconds to type and makes it considerably more difficult to brute force passwords.

Answer 2

On the username topic, it depends on how the username will be used on the site (beyond logging in). If your site is based on user generated content and you display the username with the content, allow the user to pick their own and make sure it is not an email address. Also, if the username will be displayed, I generally provide a bit of a warning on the registration form to let the user know, so they don't use their full name only to be angry later when it is displayed on the site.

I would recommend checking the availability and validity of a username through some type of Ajax call while the user is on the form. Having the form re-load with the password and password confirmation gone, just to have to think of a new username and re-input the data is a pain.

Other things to consider would be to enforce min/max lengths and some rules around passwords... don't make it difficult to sign up though. Also, accept special characters in the password. I have a couple of very strong passwords that I like to use and a lot of sites don't let me use them, so my account ends up being less secure than I would have made it on my own.

CAPTCHA is a good idea, just make sure it isn't super-difficult to figure out, that can be frustrating too.

There are a lot of things to consider and several options for each, but hopefully this will get you started.

Answer 3

Please also make sure your login page is secured with SSL, If you don't then the user name and password would be sent over the internet in clear text anyway. The rest of your site doesn't need to protected by SSL if there isn't sensitive info anywhere else.

Answer 4

I would say you use many of the widely available social networking API's to do the work for you. In doing so, you will be able to completely relieve your page of quite a few security flaws in terms of Login and user authentication (read passwords and user data) and pass it on to the stable hands of said Social Networks.

And since the entire process can be completed at the click of one button, it also makes your UX better and can be smoothly integrated into your UI.

Some examples of such API's would be Facebook, Google, LinkedIn, Twitter, Dribbble. Select yours as per your idea of the user base you will be targetting.

Also, in my recent experience, the hello.js framework makes this task pretty easy.

Answer 5

MSDN ran an article that touches on some of these issues; a copy is available here. Most of the suggestions mirror ideas here; one additional idea off of that article is to "track the traffic through your registration funnel." Track hits to error, warning, and recovery portions of the system to see if you need to make some usability enhancements.