Authentication and Password Management

OWASP Secure Coding Practices is a handy document for programmers to help them to validate whether all best practices were followed during project implementation. Authentication and Password Management are critical parts of any system and they are covered in detail from user signup, to credentials storage, password reset and private resources access.

Some guidelines may be grouped for more in depth details. Source code examples are provided to illustrate the topics.

Rules of Thumb

Let's start with the rules of thumb: "all authentication controls must be enforced on a trusted system" which usually is the server where application's backend is running at.

For the sake of system's simplicity, and to reduce the points of failure, you should utilize standard and tested authentication services: usually frameworks have already such module and you're encouraged to use them as they are developed, maintained and used by many people, behaving as a centralized authentication mechanism. Nevertheless you should "inspect the code carefully to ensure it is not affected by any malicious code" and be sure that it follows the best practices.

Resources which require authentication should not perform it themselves. Instead, "redirection to and from the centralized authentication control" should be used. Be careful handling redirection: you should redirect only to local and/or safe resources.

Authentication should not be used only by the application's users but also by your own application when it requires "connection to external systems that involve sensitive information or functions". In such cases "authentication credentials for accessing services external to the application should be encrypted and stored in a protected location on a trusted system (e.g., the server). The source code is NOT a secure location".