Patterns for Password Authentication You Should Follow | by Stefan Pfaffel | Mar, 2022

paint falling on a white umbrella
Photo by Divya Agrawal on Unsplash
  • lower case characters
  • uppercase characters
  • at least one digit
  • at least one special character
seven characters — .29 milliseconds 8 character — 5 hours 9 characters -5 days 10 characters — 4 months 11 characters — 1 decade 12 characters — 12 centuries
Image from Estimating Password Cracking Times (betterbuys.com)
const bcrypt = require('bcrypt');
const saltRounds = 10;
const myPlaintextPassword = 's0//P4$$w0rD';
bcrypt.hash(myPlaintextPassword, saltRounds, function(err, hash) {
// Store hash in your password DB.
});
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();  String result = encoder.encode("password");
  • Find registered users/email addresses
  • Crask a user’s passwords to gain access to their data
Invalid username or password message found on npm | Sign In (npmjs.com)
  • Reduce the lifetime of the reset link to one hour, for example.
  • Make sure the reset link has no identifiable information to allow an attacker to guess reset links of other users.
  • Invalidate all active sessions of the user that requested the password request.
  • Ensure users can only use the reset link once.

Leave a Comment