Authentication guidelines

The following is a list of authentication guidelines:

• Usernames or user identifiers must be unique for each user and be case insensitive (user is the same as User).
• Enforce a strong password policy that prevents the use of the following as passwords:
  • Username as password
  • Short (that is, less than eight characters) passwords
  • Single case passwords, that is, all lowercase or all uppercase
  • Single character set, such as all numbers, all letters, and no use of special characters
  • Number sequences (123456, 9876543210)
  • Celebrities, TV shows, movies, or fictional characters (Superman, Batman, Star Wars)
  • Passwords in public dictionaries, such as the top-25 most common passwords

• Always use secure protocols, such as TLS, to submit login information.
• Do not disclose information about the existence or validity of a username in error messages or response codes (for example, do not respond with a 404 code when a user is not found).
• To prevent brute-force attacks, implement a temporary lockout after a certain number of failed attempts: five is a well-balanced number, so that a user who fails to log in five consecutive times is locked out for a certain amount of time, say twenty or thirty minutes.
• If the password reset feature is implemented, ask for the username or email and the security question, if available. Then, send a one-time reset link to the user's registered email or to their mobile phone through SMS. This link must be disabled after the user resets their password or after a certain amount of time, perhaps a couple of hours, if that doesn't happen.
• When implementing MFA, favor the use of third-party and widely tested frameworks, such as Google Authenticator or Authy, if using mobile applications or RSA, or Gemalto devices, if a physical token or smartcard is required.
• Avoid implementing custom or home-made cryptography and random generation modules, and favor standard algorithms from well-known libraries and frameworks.
• Ask for re-authentication on sensitive tasks, such as privilege changes on users, sensitive data deletion, or modification of global configuration changes.

OWASP has a quick guide on best practices for implementing authentication on web applications at https://www.owasp.org/index.php/Authentication_Cheat_Sheet.