User ID and Password Authentication🔗
This checklist is designed to ensure the security of user authentication. It includes a series of steps and best practices for protecting user IDs and passwords and preventing unauthorized access to user accounts.
🔨 User Registration🔗
Note
The following two checklists should be considered for the identifiers that can be used as a User ID.
Username
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Usernames are case insensitive Reason: Prevent confusion between 'smith' and 'Smith' | Low | Impersonation xxxxxxxxxx |
ACS |
| 2 | Verify: Usernames are unique Reason: Prevent a username to be used for multiple accounts | High | Impersonation |
ACS |
| 3 | Verify: Usernames must be at least 6 characters long Reason: Protection against guessing attacks | High | Brute Force |
ACS |
| 4 | Verify: Usernames are not the same as some system-reserved names such as root, admin, administrator, etc. Reason: Prevent user from receiving high privileges | High | Privilege Escalation |
ACS |
| 5 | Verify: Disallow common and easily guessable usernames such as test, user, admin, etc. Reason: Make it harder for an attacker to predict someone's username | Low | Brute Force |
⛔ |
| 6 | Verify: Username are no longer than 254 characters in length Reason: Protection against denial of service attack | Low | Denial of Service |
IVCS |
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Emails are no longer than 254 characters in length Reason: Protection against denial of service attack | Low | Denial of Service xxxxxxxxxxxxxxx |
IVCS |
| 2 | Verify: Email receives a PIN or a URL token for verification. The PIN and URL token Checklists under Forgot Credentials must be used for this Reason: Verify that a person has access to the email they provided | High | Impersonation |
IVCS |
| 3 | Verify: Emails are unique Reason: Prevent an email to be used for multiple account | High | Impersonation |
IVCS |
Password
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: A password is at least 8 characters in length Reason: Protect against guessing since shorter passwords can be guessed | High | Brute Force xxxxxxxxxxx |
ACS, NISP800-63B |
| 2 | Verify: A password's maximum length is at least 64 characters Reason: Protect against password length Denial of Service attacks | Low | Denial of Service |
ACS, ASVS, SP800-63B |
| 3 | Verify: All ASCII characters, Unicode, and white spaces are considered valid input Reason: Allow users to create a complex password which will make it hard to guess | Medium | Brute Force |
SP800-63B |
| 4 | Verify: Password contains characters from the following categories: Upper and lower case alphabets, numbers, special characters and unicodes Reason: Increases passwords entropy which makes it harder to predict | High | Brute Force |
MS365 |
| 5 | Verify: Common or previously breached passwords are blocked Reason: Protect against password guessing | Medium | Brute Force |
ACS, ASVS, SP800-63B |
| 6 | Verify: The user is not asked to set password hints Reason: Reveals information about the password, which makes it easier to guess | High | Brute Force |
ASVS, SP800-63B |
| 7 | Verify: The user is notified of an account creation via email Reason: The user is aware of the use of their email on an external website | Medium | Impersonation |
ASVS, SP800-63B |
📦 Credential Storage🔗
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Passwords are hashed before storing in the database Reason: In case of a password leak, the hashed passwords won't allow access to an account | High | SQL Injection |
PSCS, ASVS, SP800-63B |
| 2 | Verify: User IDs are stored securely in the database by either hashing or encrypting them Reason: In case of a data breach, user IDs are unreadable | Low | SQL Injection |
⛔ |
| 3 | Verify: Only approved encrypting and hashing algorithms are used Reason: Unapproved hashing algorithms are insecure since they can be bypassed and clear text values can be extracted | High | Weak Hash, Weak Encryption |
PSCS, ASVS, SP800-63B |
| 4 | Verify: Salt is used before hashing passwords Reason: Makes passwords even more complex by adding additional characters to it. Also helps make same passwords used by multiple users different | High | Brute Force |
PSCS, ASVS, SP800-63B |
| 5 | Verify: Salt is at least 32 bits in size Reason: Makes it challenging to be guessed | High | Brute Force |
PSCS, ASVS, SP800-63B |
| 6 | Verify: Salt is unique for each password Reason: When two users choose the same password, their hash won't be the same as each password is appended to a unique salt | High | Brute Force |
PSCS, ASVS, SP800-63B |
| 7 | Verify: Salt is generated by using secure random algorithms Reason: Makes it hard to predict the value of the hash | High | Brute Force |
PSCS, ASVS, SP800-63B |
| 8 | Verify: Peppering can be used in addition to salting Reason: Adds additional security to the passwords. Preferred for sensitive accounts | Low | Brute Force |
OPSCS |
| 9 | Verify: If peppering is used, it is stored in a password vault Reason: More secure than storing in the database | High | Brute Force |
OPSCS |
| 10 | Verify: Pepper rotation policy is in place Reason: In case of a leak, rotation policy will invalidate the older pepper | High | Brute Force, Credential Theft |
OPSCS |
| 11 | Verify: Pepper is produced by using secure random algorithms Reason: Makes it challenging to guess the value | High | Brute Force |
OPSCS |
🚦 User Verification🔗
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: If account lockout is in place for the provided user ID, authentication process should not even start Reason: Response time delays during authentication can reveal if an account exists in the database or not. This is also a waste of resources | Medium | Brute Force |
⛔ |
| 2 | Verify: An account is locked after a certain number of failed attempts Reason: Rate limiting mechanism to prevent guessing | High | Brute Force |
ACS, ASVS |
| 3 | Verify: Account lockout is not for a fixed time rather, it should increase exponentially with each failed login attempt Reason: Rate limiting mechanism that makes it challenging for guessing attacks to occur | Medium | Brute Force |
ACS, SP800-63B |
| 4 | Verify: The user is notified via email when an account lockout takes place Reason: The user must be aware if someone tried to guess their account so they can change their password | High | Brute Force |
⛔ |
| 5 | Verify: Error responses for failed login attempts are generic such as: user ID or password is incorrect Reason: Too specific error messages can reveal information about the user's account | Medium | Brute Force |
ACS |
| 6 | Verify: HTTP status codes during authentication are generic Reason: Too specific error messages can reveal information about the user's account | Informational | Brute Force |
ACS |
| 7 | Verify: Response time for user ID and password checks during authentication should be the same Reason: The difference in response time can indicate if credentials was found in the database or not | Medium | Brute Force |
ACS |
| 8 | Verify: All authentication cookies must follow implementation guidelines in Session Management Reason: Implement authentication cookies securely | High | Cookie Poisoning |
ACS, SP800-63B |
| 19 | Verify: The user is sent an email notification if login occurs from a different device, IP, or geo-location Reason: In case someone else logged into the user's account without their consent | Low | Impersonation |
ACS |
🔃 Credential Reset🔗
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: The user is required to reauthenticate before a password or user ID reset Reason: Ensures that the actual user is making a change, not someone else | High | Impersonation xxxxxxxx |
ACS, SP800-63B |
| 2 | Verify: The user is required to type the new password twice Reason: Helps prevent typos | Low | ⛔ | SP800-63B |
| 3 | Verify: Reuse of old passwords is not allowed Reason: Users are likely to use the same password across many websites, which can be a risk if one of those websites is compromised | Low | Brute Force |
⛔ |
| 4 | Verify: When a new credential is set, it must follow Registration and Credential Storage guidelines for secure handling and storage Reason: Ensure that new credentials are secure | High | Credential Theft |
⛔ |
| 5 | Verify: Email notification is sent to this user when a credential change is successful Reason: Incase the user did not authorize a password change, they should know someone else did | Medium | Impersonation |
ACS, SP800-63B |
🤔 Forgot Credentials🔗
When a user chooses forgot credentials, their identity can be verified through multiple ways:
- Generate a PIN that can be sent to the user with the provided email. This PIN needs to be confirmed before a password reset is allowed
- Create a token and pass it into the query string, create a limited session around that unique URL, and send it to the user's email
- Recovery/Backup codes can also be used to give access when the user forgets their password
The following items must be considered for using PINS, URL tokens or Backup Codes.
PIN
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: The PIN must be 6 to 12 digits long Reason: Increase complexity which helps against guessing | High | Brute Force |
FPCS |
| 2 | Verify: The PIN is unique and is generated using secure random algorithms Reason: Provides additional protection against guessing since a truly random value is hard to predict | High | Brute Force |
FPCS |
| 3 | Verify: The PIN is sent to either email or phone number that the user provided Reason: The possession of the PIN verifies their identity | High | Credential Theft |
FPCS |
| 4 | Verify: A limited time session is permitted for the PIN until it expires Reason: In case the PIN leaks through an email/phone compromise, it is no longer active after a few minutes | High | Credential Theft |
FPCS |
| 5 | Verify: Use Credential Storage policies for hashing the PIN when it's being stored Reason: Helps against database compromise or PIN leakage | High | Credential Theft |
FPCS |
| 6 | Verify: A generic message is shown if the email provided exists or not such as: "A PIN will be sent to the provided email if it exists in the database" Reason: Too specific error messages can reveal information about the user's account | Medium | Brute Force |
FPCS |
| 7 | Verify: The PIN is checked for validity before the user can set the set a new password Reason: The likelihood of a logic error is high when PIN validity check and password reset happen together | High | Logic Error, Impersonation |
FPCS |
| 8 | Verify: The PIN in invalidated once it has been used Reason: Prevent the reuse of the PIN in case an attacker gets a hold of it | High | Credential Theft |
FPCS |
URL Token
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: The token is generated using secure random algorithms Reason: Protection against guessing since a random value is hard to predict | High | Brute Force xxxxxxxxxxx |
FPCS |
| 2 | Verify: Use Credential Storage checklist for hashing the token for secure storage Reason: Helps against database compromise or token leakage | High | Credential Theft |
FPCS |
| 3 | Verify: URL is hard-coded rather than relying on the host header Reason: Protection against host header injection | Medium | Host Header Injection |
FPCS |
| 4 | Verify: The reset password page uses the Referrer Policy tag with the noreferrer value Reason: Prevention against referrer leakage |
Medium | Referrer Leakage |
FPCS |
| 5 | Verify: A limited session is allowed for the URL token before it expires Reason: In case the token leaks through an email/phone compromise, is no longer active after a few minutes | High | Credential Theft |
FPCS |
| 6 | Verify: The token is checked for validity before the user can set the set a new password Reason: Ensures that the request is coming from the intended user | High | Impersonation |
FPCS |
| 7 | Verify: The token is invalidated once it has been used Reason: Prevent the reuse of the token | High | Credential Theft |
FPCS |
Additional Authenticator Factor
Recovery/Backup code security checklist can be viewed here
Continue ...
Once the user has been confirmed, then Credential Reset checklist must be used
📋 Authentication Policies🔗
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: All authentication-related events must be logged, such as account lockout, account creation, account login, etc. Reason: Helps in detecting and investigating security incidences | High | Insufficient Logging |
ACS |
| 2 | Verify: Passwords and private user IDs aren't logged Reason: Sensitive user data exists in plaintext | High | Information Leakage |
LCS |
| 3 | Verify: All user-supplied input i.e. passwords, user IDs, PINs etc., should never be trusted and must be validated Reason: Protect against injection or denial of service attacks | High | SQL Injection |
ACS |
| 4 | Verify: TLS (HTTPS) and Strict-Transport-Security header is enable for every authentication process Reason: Network traffic is encrypted which helps prevent eavesdropping |
High | Eavesdropping |
ACS, SP800-63B |
| 5 | Verify: Rate limiting mechanisms exist Reason: Prevention against guessing and denial of service | High | Denial of Service, Brute Force |
SP800-63B |
| 6 | Verify: Password expiration is in place Reason: Incase password leaks it is not active forever | Medium | Impersonation, Credential Theft |
ACS, SP800-63B |
| 7 | Verify: The application requires the user to reauthenticate for sensitive features such as payment, updating password or user ID etc. Reason: Ensures that request is coming from the intended user | High | Impersonation |
ACS, SP800-63B |
| 8 | Verify: User has the option to set a second or multi-factor authentication Reason: Password leak won't have any impact because the second factor is still not compromised | High | Impersonation, Credential Theft |
PSCS, ASVS, SP800-63B |
| 9 | Verify: Re-authentication takes place after a period of inactivity Reason: This helps to prevent unauthorized access to user accounts and sensitive information, even if a user's device or session has been compromised | High | Impersonation |
ACS, SP800-63B |
🔴 Authentication in Production🔗
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Regularly monitor log activity Reason: To detect any suspicious activity such as multiple failed login attempts | High | Most Vulnerabilities |
⛔ |
| 2 | Verify: Periodically review registered user IDs for suspicious entries Reason: Ensure that registered usernames are not impersonating someone else, using profanity, or containing malicious characters | Medium | Website Defacement, Impersonation |
⛔ |
| 3 | Verify: Third party software or libraries used for password authentication are updated to the most recent version and are regularly patched Reason: Vulnerability in a third party resource can grant an attacker unauthorized access | High | Vulnerable Dependency |
⛔ |
| 4 | Verify: Conduct regular security assessments, vulnerability scans, and penetration testing to identify vulnerabilities in custom and third-party code Reason: Identify any security vulnerabilities that might have appeared in password authentication implementation | High | Most Vulnerabilities |
⛔ |
🔗 Sources:
Microsoft (MS):
Open Web Application Security Project (OWASP):
- [ASVS] Application Security Verification Standard - Authentication
- [ACS] Authentication Cheat Sheet
- [PSCS] Password Storage Cheat Sheet
- [FPCS] Forgot Password Cheat Sheet
- [IVCS] Input Validation Cheat Sheet
- [LCS] Logging Cheat Sheet
National Institute of Standards and Technology (NIST):