How to create a secure login in user very first in important steps in creating any user interface and we saw a lot of attacks related to broken authentication.
List of tips on how to create a secure login
- Always keep the “autocomplete” property in input fields off.
- Password Length should be of at least 8 characters and must follow the security guidelines. you can take the help of password generators but don’t use them as it is.
- Username should also be alphanumeric and should be checked and sanitized before submitting it to the backend server to protect it from cross-site scripting.
- Transmission of password and username should be on a secure TLS network.
- An error message should be generic for any kind of wrong inputs, It should display any information related to the database on the frontend.
- Password should be stored in an encrypted hash format
- Always compare the user-supplied password with a stored password hash using some strong password functions available in your development language
- Always redirect the user to some other page to prevent illegal activities like the back browser button which again allows the user to get logged in again.
- Session token should be generated properly with secure and trusted libraries.
- Destroy session on log out properly.
- You can follow the security header tutorial to prevent the cache.
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
It is recommended to use important security headers on servers and avoid using the below ciphers on TLS
- Null ciphers
- Anonymous ciphers
- EXPORT ciphers
Only GCM ciphers are recommended, You can follow the cheat sheet for TLS here
- Ensure that logging should not expose any credentials details
- Implement forgot password strategy securely and never sent passwords on mail-in plain text, Ideal way is to ask the user some personal details and then sent short term expiry URL on authorized mail id, and link should be SSL enabled
Above are some basic and important tips for how to create a secure login, It is easy to implement if you follow proper guidelines shared by OWASP