Secure Coding for Authentication

Part 1 of Secure Coding for Software Engineers series.

Photo by Onur Binay on Unsplash

Introduction

In today's digital age, where information flows seamlessly across the virtual realm, the importance of secure coding has never been more critical. Applications and systems are continually under the watchful eyes of both benevolent users and malicious actors. The first line of defence in this ever-evolving battleground is robust authentication. 

This section provides 13 essential tips for software engineers to integrate into their applications' authentication processes. These recommendations aim to strengthen your applications by enhancing security measures against unauthorized access, simultaneously cultivating trust among your user base, and ensuring the protection of sensitive data.

1. Utilize secure, unique, and case-insensitive usernames

Let’s say you are developing a web application that necessitates users to create accounts using their chosen usernames. It's not uncommon for multiple users to desire the same username, differing only in letter casing, like 'HappyBunny,' 'happyBunny,' and 'HAPPYBUNNY.' Storing these variations as separate entities in your database can potentially lead to login issues down the line.

To address this challenge, consider standardizing all usernames to a common format, typically lowercase, to eliminate case-related discrepancies. By storing a single, standardized value, such as 'happybunny,' the potential for confusion is drastically reduced. 

To implement this, validate the chosen username's availability before finalizing new account credentials. This process ensures that the first user to select the username 'happybunny' proceeds successfully, while subsequent users receive an error message indicating that the username is already in use. This approach guarantees the uniqueness of usernames within your database.

For applications with stringent security requirements, an alternative approach is to have the system generate a username on the user's behalf. This practice is particularly prevalent in corporate systems, where employees are assigned predetermined usernames.

2. Avoid using internal accounts for front-end logins

Establish a clear distinction between user accounts designed for external or front-end access and those intended for internal purposes. Under no circumstances should internal accounts be employed for external access.

Maintain a separate set of credentials exclusively for internal use. These credentials must be handled with the utmost confidentiality and shared only with authorized personnel. 

Examples of such sensitive accounts include administrator accounts, root accounts, database administrator (DBA) accounts, vendor accounts, and cloud service provider (CSP) accounts. These accounts should never be utilized to log into any front-end interface.

Recognizing their exclusive internal role, it is crucial not to employ the same authentication method for Demilitarized Zone (DMZ) and public access. Instead, employ a distinct set of credentials and separate login procedures when accessing these interfaces.

By adhering to these best practices, the security and integrity of sensitive internal accounts can be effectively maintained, ensuring they remain protected from unauthorized external access.

3. Enforce a minimum password length of 8 characters

Weak passwords are vulnerable to brute force attacks, making it essential to adhere to best practices regarding password length:

• Mandatory minimum length: Implement a strict policy mandating a minimum password length of 8 or more characters. This serves as an initial defense against simple password breaches.

• Length consideration: Do not restrict or truncate passwords that exceed a certain length limit. Allowing longer passwords enhances security by enabling users to create complex and harder-to-guess passphrases.

• Inclusive character set: Enable the use of all characters, including Unicode characters and whitespace. This broadens the possibilities for creating strong and diverse passwords.

• Credential rotation: In the event of a password leak or compromised credentials, enforce mandatory credential rotation. This practice bolsters security by rendering any leaked credentials obsolete.

• Password strength feedback: Provide users with password strength feedback to assist them in crafting more secure passwords. This feedback mechanism can also prevent the use of passwords that have been compromised in the past or those recognized as common and easily guessable.