Is the Sign-up/Login/Password Reset Solution Secure?

In this article, we discuss the security of a sign-up/login/password reset solution for a web-based platform. While the current solution is considered to be a bare minimum, there are several areas for improvement. We explore these areas and provide recommendations to enhance the security of the system.

Registration

  • PBKDF2 is an older algorithm and should be replaced with something newer like argon2, scrypt, or bcrypt.
  • The length and source of the salt should be specified. It should be at least 64 bits, cryptographically random, and unique for each user.
  • The iteration count/work factor should be set as high as the server can tolerate without causing a denial-of-service risk.
  • Store the password verifier (hash) properly, including algorithm, salt, work factor, and hash values.
  • Consider implementing checks for password quality and comparing against a list of known breached passwords.

Authorization

  • Consider adding support for multi-factor authentication.
  • Specify the algorithm used to sign the JWTs and ensure it is the only one accepted.
  • Securely store the JWT signing key in a key management service.
  • Set appropriate expiration times for JWTs and consider using refresh tokens.

Recovery

  • Ensure that the recovery URL contains a random secret with sufficient entropy.
  • Consider making the password reset link single-use.

Other important considerations include logging security outcomes, implementing anti-brute-forcing protection, and considering user experience in the authentication process.

Leave a Reply

Your email address will not be published. Required fields are marked *