Overview#Best Practices Password is a Best Practices for dealing with Password from an accumulation from many Years of experience and a variety sources.
Best Practices Password is not JUST technical, but also about Business Best Practicespasswords? Number One Best Practice is to not do Password Storage Schemes at all. Nothing is more efficient than not doing it at all. If you can, use OpenID Connect or User-Managed Access. HTTPS.
In essence, the only practical way to protect against wiretapping / packet sniffing during login is by using HTTPS or another certificate-based encryption scheme or a proven & tested challenge-response scheme (for example, the Diffie-Hellman-based SRP).Server-Side Login throttling schemes to prevent Brute-Force Password Attackers CAPTCHAs are meant to thwart one specific category of attack: automated dictionary/Brute-Force trial-and-error with no human operator.
Remember Me Checkbox#Persistent Login Cookies ("Remember Me" functionality) are a danger zone
Using Identity questions#Do not implement 'secret questions'. The 'Identity questions' feature is a security Anti-pattern and Password Anti-Pattern. Web Authentication NIST.SP.800-63B changes the requirements for memorized secrets (ie passwords) in several ways. organizational Entity mandate regular Password Periodic Changes? Multi-Factor Authentication. The most common method for 2FA at the moment is by using One-Time passwords (OTP) - special codes you force your users to enter during login. However not every user can or wants to add this extra step, and not every website wants to force users through the friction of setting it up and entering codes all the time.
You SHOULD always give them the option. It's never been easier to add OTP 2FA to your login process using third-party Authenticator Apps. Both of those also have options for removing the friction of typing codes in favor of pressing a button on a smartphone, if your users have smartphones.
Whether you add one-time-password 2FA or not, a layer that NIST encourages, which is widely seen as Best Practice, and which I'd recommend. Rather than an “always on” approach to MFA, organizations need to use an adaptive, step-up approach based on context. Risk-Based Authentication requests leverage contextual information such as Geolocation, Internet Protocol Address, device Fingerprinting and time of day help determine whether the user is really who he claims to be
More Information#There might be more information for this subject on one of the following:
- Password Anti-Pattern
- Password Authentication is Broken
- Password Strength
- Web Authentication
- [#1] - The definitive guide to form-based website authentication - based on information obtained 2016-08-10