In my role as CTO at ThisData, I'm always thinking about end-user security and preventing account hijacking - particularly when their passwords are exposed by phishing or a database breach. Our work is pretty advanced - looking for changes in behavior to determine if it's them or a hacker - but there are many simple steps developers and website creators can take to improve the security of their login forms and user sessions. Let's take a look at five of them.
1) Don't tell attackers when they guess right
Hackers can often obtain user credentials from a breach on another website. For many victims the username and password will be exactly the same on your website too. When they aren't, it's crucial to not help the attackers as they try different variations. When you do, it's a problem known as "information leakage" or "user enumeration".
Here are some examples:
Bad: On the login form, entering a correct email address but wrong password says "Incorrect password". Why? It tells the attacker that they got the email address right.
Better: Say "your email address or password is incorrect". That way they don't know if that user has an account with that email address or not, or if they just got the password wrong.
Bad: On a "Reset your password" page, entering an email address which does not match an account says "There is no account with that email address", and when they get it right it says "We've sent you an email!" Why? An attacker can figure out who has signed up to your website. If you run
help-with-funky-rash.com you don't want to expose the identity of your users. The attacker would also know that they've got the right email, now all they need to do is guess the password.
Better: Say "We've sent you an email!". If that email address matches an account, send them instructions on resetting their password. If it doesn't, send an email with a message like "Someone, maybe you, tried to reset a password on
help-with-a-funky-rash.com, but this email address doesn't have an account! You might have signed up using a different email address." Helpful, and secure!
Bad: On your sign up page, entering an email address which matches an account says "An account with this email address already exists. Please sign in." It's not ideal, for the reasons mentioned in the paragraph above. Some websites do this anyway, because the user experience can be more pleasant for legitimate users, and that outweighs the risk.
Alternative: Have a signup form that accepts an email address, whether it exists or not. To complete the sign up process, you need to check your emails and click a link. That email either says "Welcome! Go here to finish creating your account...", or "Hey, you tried to sign up, but you already have an account! You can sign in here..."
2) Rate limit your log in and password reset forms
Accounts can be compromised more easily when the website doesn't put a restriction on the number of guesses an attacker can make. If they can guess one hundred passwords every second for a week, then there's a pretty good chance they'll gain access to an account. Rate limiting, or throttling, is enforcing a maximum number of attempts within a given time period. If they break the rules, block them for 5-10 minutes or so. Here are some example rate limiting rules to get started:
- Max. 5 password guesses for a user's account, per minute.
- people do forget their password all the time, and can often need a few goes to get it right.
- but it's easy to use multiple IP addresses to get around IP-only rate limiting, so you need to look at the email address too.
- Max. 20 password guesses for an IP address, per minute
- remember shared offices can share the same IP address, and ISPs do the same too, so this needs to be a bit more flexible
- Max 2 password reset requests for a user's account, per minute
- Max 5 password reset requests for an IP, per minute
- Max 5 two-factor-authentication attempts per account, per minute
You'll want to tweak those values to suit your own security and usability needs.
3) Don't enforce bad password rules
Password rules have been very popular in the past, but when they're bad rules they lead to weaker or reused passwords. The United States National Institute for Standards and Technology (NIST) has the following new guidelines for good password policies:
- Do allow users to use any character in a password. Even emoji! 👍 (Whilst being aware of potential normalization headaches)
- Don't force composition rules - e.g. "one special character, at least six numbers, and two rhyming words". They don't work.
- Maybe stop them from using the top 1000 / 100,000 worst passwords (e.g. "password").
- It's a great idea, but there is discussion on how big the blacklist should be, and how to encourage a better password than just adding another character - "password!"
- Don't force them to regularly reset their passwords
- Do have a minimum of 8 characters, and if you want a maximum, it must be at least 64 characters
- Don't do things like password hints.
4) Use 2FA (a second factor)
A very effective way to prevent account compromise at the moment is to use Two Factor Authentication (2FA). The most common method for 2FA at the moment is by using One Time Passwords (OTP) - special codes you force your users to enter during login. However not every user can or wants to add this extra step, and not every website wants to force users through the friction of setting it up and entering codes all the time. BUT! You should always give them the option. It's never been easier to add OTP 2FA to your login process using third-party tools like Authy, or Duo. Both of those also have options for removing the friction of typing codes in favor of pressing a button on a smartphone, if your users have smartphones.
Whether you add one-time-password 2FA or not, a layer that NIST encourages, which is widely seen as best pratice, and which I'd recommend (obviously!😁) is behavioral second factor authentication.
Rather than an “always on” approach to MFA, organizations need to use an adaptive, step-up approach based on context. Authentication requests leverage contextual information such as location, network, device settings and time of day help determine whether the user is really who he claims to be
- Centrify "Best Practices for Multi-factor Authentication"
Behavioral authentication is what we do at ThisData, and as well as providing advanced anomaly detection, we help security by:
- letting you know when a user's account might be getting used by an attacker, and enabling you to automate your security response
- optionally emailing the user too, so that the user has visibility with "Was This You?" emails, empowering them to take quick action to secure their accounts
- giving you visibility into authentication activity on your site, so you can monitor your security more effectively
5) You don't have to do it yourself!
My final tip is this: you don't have to do it yourself. You'll have probably seen "Sign In with Google" buttons on websites before, and it can be worth a bit of extra work to add this to your site too. It's called Single Sign On, and has the following benefits:
- users don't have yet another account they need to remember the password for
- you don't have to worry about information leaks, password policies, resetting passwords, rate limiting, 2FA, etc
The tradeoff is that you're reliant on another service to be always available, users might not remember if they used "Sign In with Google" or "Sign In with Facebook" or "Sign In with Github", and importantly it doesn't absolve you from making sure your implementation and other parts of the website are secure too.
If you're just getting started, then a tool like Auth0 is a fantastic way to provide SSO, and outsource some of that authentication security concern. As with many situations, it can be easier to leave it to the experts, so that you can focus on your core product and unique security needs!
So there we have it, five tips on how to make your login process more secure. Security and usability, especially during password resets and account creation, can be a difficult balance, and the information above can help guide those decisions. What have you done to create a more secure sign in process for your users? Let me know in the comments below.
You might also be interested in reading some other relevant posts:
Blog post banner image used with permission from WOCinTechChat.com.