Is the Sign-up/Login/Password Reset Solution Secure?
In this article, we discuss the security of a sign-up/login/password reset solution for a web-based platform. While the current solution is considered to be a bare minimum, there are several areas for improvement. We explore these areas and provide recommendations to enhance the security of the system.
Registration
- PBKDF2 is an older algorithm and should be replaced with something newer like argon2, scrypt, or bcrypt.
- The length and source of the salt should be specified. It should be at least 64 bits, cryptographically random, and unique for each user.
- The iteration count/work factor should be set as high as the server can tolerate without causing a denial-of-service risk.
- Store the password verifier (hash) properly, including algorithm, salt, work factor, and hash values.
- Consider implementing checks for password quality and comparing against a list of known breached passwords.
Authorization
- Consider adding support for multi-factor authentication.
- Specify the algorithm used to sign the JWTs and ensure it is the only one accepted.
- Securely store the JWT signing key in a key management service.
- Set appropriate expiration times for JWTs and consider using refresh tokens.
Recovery
- Ensure that the recovery URL contains a random secret with sufficient entropy.
- Consider making the password reset link single-use.
Other important considerations include logging security outcomes, implementing anti-brute-forcing protection, and considering user experience in the authentication process.