What are the Best Practices for Account Protection?
Account management, authentication, and password management are essential activities to protect data security. Users interact with accounts through a myriad of activities and across many different types of devices, and complete account protection requires a close look at each of these relationships and interactions. Authentication is the process of verifying that an individual, entity, or website is the true, authorized user. In the context of web applications, authentication is commonly performed by submitting a username or ID and or more items of private information that only the authorized user would know.1 Session management is a process by which a server maintains the state of an entity interacting with it. This enables a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on a server by a session identifier that can be passed back and forth between the client and server when transmitting and receiving requests. Authentication and session management practices work together to ensure that accounts are secure.
Account management best practices2:
Hash passwords. Plaintext passwords should never be stored under any circumstances. Store passwords irreversibly in a cryptographically strong hash of the password. The hash should be salted (a unique, randomly generated string) with a value unique to that specific login credential. Use a pepper (hash the password as usual and then encrypt with a symmetrical encryption key); do not store the pepper in the database.
Third-party identity. Third-party identity providers such as Google, Facebook, and Twitter can be used to authenticate a user’s identity.
Separate user identities and user accounts. Keep the concept of user account and credential separate by not using email addresses or phone numbers as usernames. This will simplify the process of implementing third-party identity providers, changing usernames, and linking accounts.
Link multiple identities. By providing a common identifying detail, such as a phone number, data could be matched to an existing user in your database, reducing account duplications.
Allow long passwords. As long as passwords are ensured to have cross-platform compatibility in Unicode normalization, allow users to have extreme passwords with emojis and whitespace, if they so choose. Length and complexity follow password best practices.
No unreasonable username rules. Tight restrictions such as long minimum length requirements with many blocked characters are not user-friendly and may deter some users. Assigning usernames may be an alternate approach.
Validate identity. Send validation codes to email address or phone number as soon as possible to avoid problems that arise from not being properly logged in.
Allow username changes. Legacy systems may make it difficult to change usernames, but a requested change could be made by allowing aliases.
Allow user account deletion. There are few self-service means for users to delete their account and associated PII, often due to regulatory compliance concerns. This could be addressed by letting users schedule their account for automatic future deletion.
Use two-factor authentication. Offer the most secure 2FA you can, as your user accounts are only as secure as the weakest 2FA or account recovery method.
Make user IDs case insensitive. Smartphones often autocorrect for capitalization and spelling, and many users may not remember the exact case of their username.
Secure auth system. Secure authentication services can handle many of your security concerns automatically.
Also consider these session management aspects for account protection3:
- Session ID name fingerprinting
- Session ID length
- Session ID entropy
- Session ID content
- Session ID exchange mechanisms
- Transport layer security
- Cookie attributes
- HTML5 web storage API
- Session expiration
1 OWASP, 2021, “Authentication Cheat Sheet”
2 Maddox, 2021, “13 Best Practices for User Account, Authentication, and Password Management, 2021 Edition”
3 OWASP, 2021, “Session Management Cheat Sheet”