The cheat sheet below condenses insights extracted from the OWASP article about security best practices for authentication. This table aims to offer a concise and user-friendly overview that can be swiftly referenced for a quick grasp of key points. For further information, please visit OWASP – Authentication.
| Topic | Key Security Points |
| User IDs |
• Ensure usernames/user IDs are case-insensitive and unique. • Example: ‘smith’ and ‘Smith’ should be considered the same user. • In high-security apps, consider secret assigned usernames over user-defined data. |
| Email Address as User ID | • Refer to input validation cheatsheets to ensure proper validation of email addresses. |
| Sensitive Accounts |
• Avoid allowing logins with sensitive internal/backend accounts to any front-end UI. • Separate authentication for internal purposes from unsecured public/DMZ access. |
| Password Strength |
• Use adequate length and allow all character types (Unicode and whitespace). • Avoid restrictive composition rules that make passwords easier to guess. |
| Password Recovery | • Implement a secure “Forgot Password” mechanism following industry cheat sheets. |
| Secure Storage |
• Use modern cryptographic techniques to store passwords. • Consult specialized Password Storage Cheat Sheets for hashing standards. |
| Password Comparison |
• Use secure comparison functions provided by the language or framework. • Ensure functions use constant time to protect against timing attacks. |
| Change Password Feature |
• Ensure active authentication and an active session for password changes. • Require current password verification to confirm the legitimate user. |
| Secure Transmission |
• Login and all subsequent pages must be accessed exclusively over TLS. • Lack of TLS allows attackers to modify forms and compromise credentials. |
| Re-authentication |
• Require current credentials before changing sensitive info (email, password). • Adds a critical layer of defense against CSRF and session hijacking. |
| Transaction Auth | • Use a second factor of authentication to authorize highly sensitive operations. |
| TLS Client Auth | • Consider two-way TLS (browser and server certificates) for high-security environments. |
| Error Messages |
• Use generic error messages to prevent user ID or password enumeration. • Do not reveal if the username was correct or incorrect. |
| Automated Attacks | • Use MFA, login throttling, and CAPTCHAs to defend against brute-force attacks. |
| Error Codes and URLs | • Ensure HTTP error codes do not inadvertently leak account validity information. |
| Conclusion | • Combine these measures to build a robust defense-in-depth security posture. |